Uber Technologies' (NYSE: UBER) former Chief of Security has been arrested for allegedly attempting to hide the company's 2016 data breach from the Federal Trade Commission (FTC). The data breach resulted in personal data for 57 million Uber drivers and customers being exposed.
Joseph Sullivan, the former chief of security at Uber, was indicted on charges of obstruction of justice for his actions involving a data breach and resulting extortion scheme. According to the Justice Department, Sullivan allegedly paid the hackers $100,000 worth of bitcoin to stifle news of the hack and had even attempted to convince them to sign non-disclosure agreements.
The complaint against Sullivan alleges that Uber's previous CEO, Travis Kalanick, was also aware of the hack and authorized the payment to hackers and that the company's general counsel was also aware of the hack. Sullivan remained at his post until 2017 when he was dismissed from his position by current Uber CEO Dana Khosrowshahi for his part in the incident. Sullivan would later transition to a position as Chief of Security at Cloudflare (NYSE: NET), and currently holds the position as of his indictment. The FTC would not learn of the hack until a year later, due to Uber not notifying the Federal Government immediately.
Paramount to the allegation of wrongdoing is how the Justice Department alleges Uber went about trying to cover up the incident. The payment to hackers was cloaked under Uber's "bug bounty" program, a type of program typical among tech companies where bounties are offered to white-hat hackers if they can find and exploit a breach. The hackers will divulge the breach to the company in exchange for payment, helping the company close the breach before data can be stolen. According to the indictment, Uber treated the hack as a white-hat hack, paid the hackers, and forced them to sign non-disclosure agreements (NDAs) to prevent the incident from becoming public. The NDAs particularly troublesome, as it is totally out of line with the typical bug-bounty procedure in the tech sector. Companies will disclose the hacks once vulnerabilities are fixed.
Sullivan is contesting his role in the incident, with a spokesman saying that the Justice Department's claims have "no merit".
"From the outset, Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company's written policies. Those policies made clear that Uber's legal department-and not Mr. Sullivan or his group-was responsible for deciding whether, and to whom, the matter should be disclosed." His spokesman wrote.