US charges former Uber exec with hiding hack
OAKLAND, Calif. — Uber’s former security chief was charged Thursday with attempting to conceal from federal investigators a hack that exposed the email addresses and phone numbers of 57 million drivers and passengers.
The criminal charges filed in U.S. District Court in San Francisco against Joe Sullivan, 52, are believed to be the first against an executive stemming from a company’s response to a security incident.
But the charges drew an important distinction between failing to protect Uber’s computer network and failing to tell authorities about it. Prosecutors said Sullivan committed two felonies when he didn’t disclose the 2016 incident to federal investigators who were investigating a similar data breach that had occurred two years earlier.
“When a company like Uber gets hacked, we expect good corporate citizenship; we expect prompt disclosure to the employee and consumer victims in that hack,” said David Anderson, the U.S. attorney in San Francisco. “In this case, what we saw was the exact opposite of good corporate behavior.”
He is the second Uber employee to face federal charges related to his work at Uber. Anthony Levandowski, a former Uber engineer, was sentenced last month to 18 months in prison for stealing self-driving car trade secrets from Google.
Sullivan led Uber’s security work from 2015 until he was fired in 2017 when his handling of the data breach, which also exposed the license numbers for about 600,000 drivers, was discovered.
Sullivan is now the chief information security officer at the internet company Cloudflare. A company spokesman said Sullivan had acted with the approval of Uber’s legal department and there was no merit to the charges against him.