Skip to content Skip to Search
Skip navigation

Uber ex-security chief accused of hacking coverup faces charges

Creative Commons
Uber, which operates in more than 70 countries and 10,000 cities globally, will compete locally with services such as Gett and Yango

A federal judge on Tuesday said a former Uber Technologies Inc security chief must face wire fraud charges over his alleged role in trying to cover up a 2016 hacking that exposed personal information of 57 million passengers and drivers.

The US Department of Justice had in December added the three charges against Joseph Sullivan to an earlier indictment, saying he arranged to pay money to two hackers in exchange for their silence, while trying to conceal the hacking from passengers, drivers and the US Federal Trade Commission.

US District Judge William Orrick in San Francisco rejected Sullivan’s claim that prosecutors did not adequately allege he concealed the hacking to ensure that Uber drivers would not flee and would continue paying service fees.

Orrick also rejected Sullivan’s claim that the people allegedly deceived were Uber’s then-chief executive, Travis Kalanick, and its general counsel, not drivers.

“Those purported misrepresentations, though not made directly to Uber drivers, were part of a larger scheme to defraud them” according to the indictment, Orrick wrote.

Lawyers for Sullivan did not immediately respond to requests for comment. Sullivan also faces two obstruction charges.

The defendant was originally indicted in September 2020, and is believed to be the first corporate information security officer criminally charged with concealing a hacking.

Prosecutors said Sullivan arranged to pay the hackers $100,000 in bitcoin, and have them sign nondisclosure agreements that falsely stated they had not stolen data.

Uber had a bounty program designed to reward security researchers who report flaws, not to cover up data thefts.

Dara Khosrowshahi, Uber’s current chief executive, fired Sullivan after learning the extent of the breach.

In September 2018, the San Francisco-based company paid $148 million to settle claims by all 50 US states and Washington, DC that it was too slow to reveal the hacking.