By Robert McMillan
This article is being republished as part of our daily
reproduction of WSJ.com articles that also appeared in the U.S.
print edition of The Wall Street Journal (August 21, 2020).
Uber Technologies Inc.'s former chief security officer, Joe
Sullivan, was charged Thursday for allegedly concealing from
federal authorities details about the massive data breach the
ride-hailing giant suffered in 2016.
Mr. Sullivan, a former federal prosecutor who is now chief
security officer at internet services company Cloudflare Inc., was
fired by Uber in 2017 for his role in the data breach, which
affected 57 million accounts.
At the time, Uber said Mr. Sullivan paid $100,000 to hackers via
the company's bug-bounty program, in an effort to conceal the
Prosecutors say Mr. Sullivan concealed the breach even as the
Federal Trade Commission was investigating a 2014 data breach at
Uber. "We expect prompt reporting of criminal conduct," U.S.
Attorney David L. Anderson said in a statement, adding that "we
will not tolerate corporate coverups. We will not tolerate illegal
Mr. Sullivan was charged in San Francisco on charges of
obstruction of justice and failing to report a crime, the
Department of Justice said in a press release. Mr. Sullivan faces
up to five years in prison if found guilty of obstructing
A spokesman for Mr. Sullivan said there was no merit to the
charges. "From the outset, Mr. Sullivan and his team collaborated
closely with legal, communications and other relevant teams at
Uber," the spokesman said in a statement. "Those policies made
clear that Uber's legal department -- and not Mr. Sullivan or his
group -- was responsible for deciding whether, and to whom, the
matter should be disclosed."
The charges against Mr. Sullivan are unusual, said Randy Gainer,
a retired lawyer who formerly specialized in data-breach law. While
chief security officers often take the blame for the missteps that
lead to a breach, "I'm not aware of another incident where a
security officer has been criminally charged," Mr. Gainer said. But
just as unusual, he said, was Mr. Sullivan's apparent decision to
not report the incident even after hackers had allegedly accessed
Uber has said the hack exposed the names, emails and phone
numbers of millions of riders, and about 600,000 drivers' license
numbers. The company, when it disclosed the hack, said financial
information such as credit cards and Social Security numbers
weren't taken and that it had identified the hackers and obtained
assurances they had destroyed the stolen data.
Uber continues to cooperate fully with the Justice Department's
investigation, a company spokesman said in an emailed
Dealing with the aftermath of the hack came at a tumultuous time
for Uber. Dara Khosrowshahi had only recently taken over as chief
executive after a year of controversies and missteps that took
place under his predecessor and Uber co-founder Travis Kalanick.
Uber in 2017 also fired its top driverless-car executive, Anthony
Levandowski, whom Google parent Alphabet Inc. had accused of
intellectual-property theft. The former Uber and Google executive
this month was sentenced to 18 months on one count of stealing
When the 2016 hack took place, Uber was already under scrutiny
by the FTC over a data breach two years earlier. Mr. Sullivan, at
the time, was involved in answering the regulator's questions about
the 2014 incident and then tried to cover up the latest incident
with the payment made via the digital currency bitcoin, the Justice
After being approached in 2016 by hackers demanding a six-figure
payout, Uber's security team soon concluded that the hackers were
able to access Uber's data in "almost the identical manner the 2014
attacker had used," prosecutors said in court filings.
The two hackers accessed Uber's data by first using stolen
credentials on the software-development site GitHub to gain access
to Uber's source code. There they found the digital keys that were
necessary to download the company's data, prosecutors say.
Instead of refusing the extortion payment and disclosing the
breach, Mr. Sullivan elected to pay the hackers through Uber's
bug-bounty program and forced them to sign non-disclosure
agreements, prosecutors say. The two men pleaded guilty to hacking
charges last year, the Justice Department said.
Uber didn't disclose any of these details of the 2016 breach to
the FTC, and instead claimed that it had made a number of
significant improvements to its data security since the 2014
incident, prosecutors say. "Uber relied on these supposed
improvements in arguing that the FTC should not bring a claim
against the company," prosecutors state.
An FTC spokeswoman declined to comment on the charges against
Cloudflare's chief executive, Matthew Prince, said on Twitter
that he hoped the matter would be resolved quickly.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
August 21, 2020 02:47 ET (06:47 GMT)
Copyright (c) 2020 Dow Jones & Company, Inc.
Historical Stock Chart
From Nov 2020 to Dec 2020
Historical Stock Chart
From Dec 2019 to Dec 2020