A U.S. District Court judge has ruled that former Uber Technologies Inc. Chief Security Officer Joe Sullivan must face wire fraud charges over allegations that he covered up a security breach involving the theft of 57 million passenger and driver records.
Sullivan (pictured) was initially charged in August 2020 with obstruction of justice and “misprision” or concealment of a felony by the U.S. Attorney’s Office in the Northern District of California. The Department of Justice added three additional changers against Sullivan in December, claiming that he arranged to pay money to two hackers to conceal the hacking.
Reuters reported Tuesday that lawyers for Sullivan argued prosecutors did not adequately allege he concealed the hacking to ensure that Uber drivers would not flee and would continue paying service fees. Judge William Orrick also rejected a claim that Sullivan was only attempting to deceive Uber’s then-Chief Executive Officer Travis Kalanick and Uber’s general counsel, not drivers.
“Those purported misrepresentations, though not made directly to Uber drivers, were part of a larger scheme to defraud them,” Orrick wrote.
The theft of the 57 million records took place in 2016 and came after Sullivan had assisted the Federal Trade Commission concerning Uber’s security practices following an earlier breach in 2014. Sullivan was made aware of the 2016 hack 10 days after providing testimony to the FTC but allegedly took steps to hide the details.
It is alleged that Sullivan paid the hackers by funneling the payoff through Uber’s bug bounty program. Sullivan also sought to have the hackers sign nondisclosure agreements that included a false representation that the hackers did not take or store any data. It was also alleged that Kalanick was aware of Sullivan’s actions.
The details of the hack only came to light when current CEO Dara Khosrowshahi took over the reins at Uber, but even then, Sullivan allegedly deceived the new management team by failing to provide them with critical details.
Uber paid $148 million in September 2018 to settle various investigations into the hack and it failed to disclose it at the time it happened. The two hackers were arrested and pleaded guilty to computer fraud conspiracy charges in October 2019.