In an extraordinary case, a former chief security officer of Uber, the ride hailing service, has been criminally charged with attempting to cover up a 2016 hacking.
Reports say that the hack leaked the personal information of nearly 57 million customers and drivers of the service.
Joseph Sullivan, was charged with criminal obstruction of justice by the US Department of Justice, alleging that he took “deliberate measures” to prevent the Federal Trade Commission (an independent US agency that focuses on antitrust and consumer protection laws) from finding out about the hack when the agency was investigating Uber security after an earlier hack.
It is the first time a corporate Information Security officer has been arrested for covering up a data breach.
Sullivan arranged to pay the hackers $100,000 from the Uber scheme that is meant to reward security researchers who disclose vulnerabilities in the service.
Sullivan, a former head of security at Facebook, now serves as the chief information security officer at Cloudfare, a US based web infrastructure and website security company.
The lawsuit claims that Sullivan had non-disclosure agreements signed by the hackers which falsely claimed they had not stolen data. It alleges that the then-CEO Travis Kalanick was also aware of these actions.
After learning the severity of the violation, Kalanick’s successor as CEO — current Uber chief Dara Khosrowshahi — disclosed the payout, then fired Sullivan and a deputy. Uber also paid $148 million to all 50 US states to settle claims.
The Uber case will resonate with the increasing number of companies dealing directly with hackers.
Many have bounty programs like Uber’s, which are commonly seen as a mechanism for improving safety and an opportunity for hackers to stay within the law. But some participants do not abide by the rules.
In the Uber case, the FBI noted, the two main hackers went on to attack other firms which could have been averted if Sullivan had gone to law enforcement first.
The case also suggests that companies paying hackers to get rid of ransomware, malicious programs that encrypt their files, are not exempted from reporting personal sensitive information losses.