Bringing The World Home To You

© 2024 WUNC North Carolina Public Radio
120 Friday Center Dr
Chapel Hill, NC 27517
919.445.9150 | 800.962.9862
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations
WUNC End of Year - Make your tax-deductible gift!

Former Uber Security Chief Charged With Paying 'Hush Money' To Conceal Data Breach

DAVID GREENE, HOST:

Former top executive at Uber is accused of concealing a massive hack that exposed the data of 57 million drivers and passengers. He was fired and now faces criminal charges. NPR's tech correspondent Shannon Bond reports. And just to note here, Uber is an NPR financial supporter.

SHANNON BOND, BYLINE: When Joe Sullivan learned that hackers had stolen huge amounts of data from Uber back in 2016, he didn't tell regulators, law enforcement or the public. Instead, federal prosecutors allege Uber's chief security officer tried to hide it. Here's U.S. Attorney David Anderson, who filed the charges against Sullivan in federal court in Northern California.

DAVID ANDERSON: We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.

BOND: To keep the incident under wraps, prosecutors say Sullivan arranged for Uber to pay the hackers $100,000. And he had them sign nondisclosure agreements saying falsely that they never stole any data. That payment was made through Uber's bug bounty program. Many tech companies have similar programs offering rewards to so-called white hat hackers that test their systems for vulnerabilities. But Anderson says this payment was not a bug bounty. It was a cover-up.

ANDERSON: The problem isn't with a legitimate bug bounty. The problem is that this hush money payment was not a bug bounty. That's the problem.

BOND: Uber did eventually disclose the breach and fire Sullivan but not until a year later. Two men pleaded guilty to the hack last year. Now Sullivan is charged with obstructing justice and concealing a felony. A spokesman for Sullivan says there's no merit to the charges. He says it was up to Uber's legal team to report the breach. Uber says it's cooperating with the investigation. If he's convicted, Sullivan could face up to eight years in prison and $500,000 in fines.

Shannon Bond, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.

Shannon Bond is a business correspondent at NPR, covering technology and how Silicon Valley's biggest companies are transforming how we live, work and communicate.
More Stories