During 2016, the US Federal Trade Commission (FTC) launched an investigation into Uber in connection with a data breach that occurred in 2014. During this investigation, Uber was hit with another breach from hackers that stole a database containing personal information on Uber drivers and users.
In August 2020, a criminal complaint was filed against Uber’s former chief security officer, Joseph Sullivan, for obstruction of justice, misprision of a felony, and an alleged cover-up of the 2016 data breach. According to the complaint, Uber attempted to classify the breach as a part of their “Bug Bounty” program and pay off the hacker’s bounty and hide the 2016 breach from the FTC and their customers. Uber’s Bug Bounty program encourages “white hat” hackers to discover bugs in good faith. Prosecutors allege that Sullivan “engaged in a scheme to withhold and conceal” the data breach and failed to report the hack to law enforcement.
Following the complaint, the DOJ released a press release quoting David L. Anderson, the US Attorney for the Northern District of California stating, “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Matt Kallman, a spokesman for Uber, released a statement saying “We continue to cooperate fully with the Department of Justice’s investigation. Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.”
Click here to read the full complaint against Joseph Sullivan and Uber.