According to the announcement made by the United States Department of Justice (DOJ), they have opened a case against Uber’s former Chief Security Officer (CSO), Joseph Sullivan. As per the allegations, he had paid hush money for keeping details of the 2016 data hack a secret. The DOJ revealed that Uber and Sullivan had knowledge of the data breach that had happened back in 2016, which had resulted in the disclosure of information of around 600,000 drivers working at Uber. Approximately 57 million app users had also been affected by the hack and their private information had been exposed to risk.
However, the allegations indicate that Sullivan tried his level best to keep the hacker’s details concealed and not reach government authorities. The former CSO has been accused of paying $100,000 in Bitcoin through a bug bounty program at the time for the purpose of keeping information pertaining to the hack a secret. White hat trackers are the ones who typically use bug bounty programs for reporting on the stringent security issues of companies. These are legitimate programs that hackers can use for informing companies about the faults in their systems and the companies pay them for providing this service. Top tech companies, such as Samsung and Apple, are known to have such programs in place.
Moreover, Sullivan had also allegedly taken steps for misleading and deflecting the Federal Trade Commission (FTC) while they were investigating, both regarding the $100,000 he had paid in hush money and about the data breach. In fact, the former CSO had gone as far as having the hackers sign non-disclosure agreements in which they had falsely stated that they didn’t access any personal information from Uber. Even though an investigation led to the identification of two hackers who were behind the breach, Sullivan hadn’t reported the breach to the relevant authorities and only made other hackers sign NDAs.
As per the announcement made by the DOJ, Sullivan is now being charged for obstruction of justice and misprision of a felony. He has denied all these allegations. Bradford Williams, his spokesperson explained that these allegations were without merit and unfounded. He said that the only reason Uber and other regulators had found out about the hacks was due to Sullivan’s efforts. He also added that the former CSO had collaborated with the relevant teams and executives at Uber and he did all of this in compliance with the company’s policies.
This case is just another one in a string of company officials using cryptocurrencies for communicating with hackers. The most common one is through ransomware, which involves companies having to pay crypto to hackers for restoring their online systems after the hackers induce downtimes. According to Reuters, 414 BTC, which is around $4.5 million, was paid to ransomware attackers by travel agency CWT. The Ragnar Locker ransomware was used by the hackers for disabling access to more than 30,000 computers and for stealing sensitive data. Initially, the hackers had demanded $10 million, but the company’s security officials negotiated to bring it down citing the COVID-19 pandemic.