In 2016 Uber suffered a hacker attack and in order to hide everything, the head of security paid the hackers $100,000 in bitcoin.
This is what emerges in the complaint collected by the US Department of Justice and illustrated by US Attorney David L. Anderson and FBI Special Agent Craig D. Fair.
The protagonist of the case is Joseph Sullivan, who was Chief Security Officer in 2016. Uber had already experienced security problems, but in 2016 something even worse happened. Two hackers managed to take possession of a database with the data of about 57 million Uber users and drivers. These data also contained 600,000 driving licence identifiers.
According to the DOJ, Sullivan worked to hide the case from the Federal Trade Commission.
Uber, the hacker attack and the payment in bitcoin
The FTD in fact was already investigating previous security problems experienced by Uber in 2014. In this investigation, Sullivan was called to testify in 2016. 10 days after his deposition Uber was attacked again.
The IT department confirmed the violation but, according to the investigators’ reconstruction, Sullivan acted to keep the case from coming to light. For this reason, he agreed to pay $100,000 in bitcoin to two hackers, to whom he also submitted a non-disclosure agreement.
In this agreement, the two declared not to have come into possession of the Uber data. Furthermore, when the computer security team was able to identify the real identity of the hackers, Sullivan demanded that they sign a new agreement containing their real names. This second agreement also reiterated the fact that the hackers had not come into possession of the database.
When the new management, in 2017, discovered the whole matter, it made it public, allowing the authorities to investigate.
Once the case was known, Sullivan still tried to tone it down in the reports prepared for the new CEO. In those statements, he claimed that the hackers had only been paid after discovering their identity.
However, the two hackers are now being brought to justice. They already pleaded guilty on October 30th, 2019 in the California Court and are now awaiting sentencing.
Sullivan, on the other hand, will face charges of obstruction of justice and wrongful violation of a crime and will now have to answer to the court, trying to prove his innocence.
The case casts a shadow over Uber’s management of user data. The change of management with the appointment of a new CSO in 2017, however, seems to represent a decisive turning point.
The authorities always encourage companies to work together to identify hackers. Never cover it up. Prosecutor David L. Anderson said in this regard:
“Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments”.
Deputy FBI Special Agent Craig D. Fair concluded with an appeal:
“Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data”.