(Reuters) – In a unique case, a former head of security at Uber Technologies Inc. was accused on Thursday of trying to cover a 2016 hacking that exposed personal information about approximately 57 million of the company's customers and drivers.
The U.S. Department of Justice accused Joseph Sullivan, 52, of violating justice, saying he took "deliberate action" to prevent the Federal Trade Commission from learning about the hack while the agency monitored Uber security in the wake of a previous violation. .
The case is believed to be the first time a company's information security manager has been accused of hiding a hack.
Mr. Sullivan, himself a former federal prosecutor, arranged to pay the hackers $ 1
A former Facebook security chief, Mr. Sullivan now works as head of information security at Cloudflare.
In previous interviews, security personnel said that the Uber payout was intended to force hackers into the open to accept the money and to ensure that the data, in particular the driver's license information about Uber entrepreneurs, was destroyed.
The complaint says Mr Sullivan got the hackers to sign non-disclosure agreements which incorrectly stated that they had not stolen data. It claims that then-CEO Travis Kalanick was aware of Sullivan's actions.
A spokeswoman for Kalanick declined to comment. A spokesman for Mr. Sullivan said he had worked with his colleagues on the case and that disclosure issues were decided by the legal department.
"If not for the efforts of Sullivan and his team, it is likely that the people responsible for this incident would never have been identified at all," said spokesman Brad Williams.
Mr. Kalanick's successor as CEO – current Uber boss Dara Khosrowshahi – revealed the payout, then fired Sullivan and a deputy after learning the extent of the breach. Uber then paid $ 148 million to resolve allegations from all 50 U.S. states and Washington, DC, that it had been too slow to uncover the hack.
The Uber case will reason for the growing number of companies that deal directly with hackers.
19659002] Many people have bounty programs like Uber, which are commonly seen as a tool to improve security and provide an incentive for hackers to stay within the law. But some participants do not play by the rules.
In the Uber case, the FBI found, the two main hackers continued to attack other companies, which the agency said could have been abolished if Mr. Sullivan had first gone to law enforcement. Both have pleaded guilty and are awaiting punishment.
The case also suggests that companies that pay hackers to get rid of ransomware, malicious programs that encrypt their files, are not exempt from reporting the loss of personally sensitive information. Catalog