Uber logo in a car window Image copyright Reuters

Uber’s former chief security officer Joseph Sullivan has been charged with obstruction of justice in the US.

The 52-year-old is accused of trying to cover up a data breach in 2016 that exposed the details of 57 million Uber drivers and passengers.

The company has previously admitted to paying a group of hackers a $100,000 (£75,000) ransom to delete the data they had stolen.

Mr Sullivan was fired in 2017 when the data breach was revealed.

The charges filed by the US Department of Justice said Mr Sullivan had taken “deliberate steps” to stop the Federal Trade Commission (FTC) from finding out about the hack.

He is accused of approving the $100,000 payment to the hackers, which was made in bitcoin.

The payment was disguised as a “bug bounty” reward, used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.

The charges allege that he asked the hackers to sign non-disclosure agreements, falsely stating they had not stolen any Uber data.

“Silicon Valley is not the Wild West,” said US lawyer David Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect co-operation with our investigations. We will not tolerate corporate cover-ups.”

A spokesman for Mr Sullivan said he denied the charges.

“If not for Mr Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” said spokesman Brad Williams.

Mr Sullivan currently works as chief information security officer at cyber-security firm Cloudflare.

Uber chief executive Dara Khosrowshahi disclosed the data breach in 2017. The company eventually paid $148m to settle legal claims by all 50 US states and Washington DC.


By Joe Tidy, Cyber Reporter

When is a breach a breach?

This could be the key question facing the court in this case which will be watched closely by hackers and security experts around the world.

Mr Sullivan says he did nothing wrong and was simply rewarding the hackers a “bug bounty” for discovering a security flaw in Uber’s system.

Many large companies have open bug bounty schemes that invite hackers – under strict conditions – to test their computer systems for flaws.

If they find one, they get paid and the company can fix it without needing to alert the authorities.

But these hackers did not approach Uber as part of a scheme. They broke into the systems anonymously, stole data and held the company to ransom.

Effectively, Mr Sullivan is being accused of turning a serious hack into a routine bug bounty, which was therefore not worth notifying the authorities or his company about.

The fact that the hackers themselves have already pleaded guilty to the cyber-attack may not help Mr Sullivan’s case.