A lawsuit filed Thursday in US District Court in San Francisco alleges that Joe Sullivan, who led Uber’s security team for more than two years until November 2017, “engaged in a scheme to detain and cover up “both the hack and the amount of data that has been exposed by the US Federal Trade Commission.
The complaint alleges that Sullivan and Uber ( arranged to pay hackers $ 100,000 in exchange for signing a hacking nondisclosure agreement, which falsely stated that they did not view or store company data. Uber did not disclose the violation or payment until late 2017. )
“Silicon Valley is not the Wild West,” US Attorney David Anderson said in a statement announcing the charges. “We will not tolerate illegal silent money payments. ”
Sullivan, a former U.S. assistant prosecutor, joined Uber in 2015 from Facebook, where he served as chief security officer for more than five years after stints at eBay and PayPal. He is currently the director of security for internet infrastructure company CloudFlare.
Williams added, “From the outset, Mr. Sullivan and his team worked closely with Uber’s legal, communications and other relevant teams in accordance with written company policies. These policies made it clear that Uber’s legal department – not Mr. Sullivan or his group – was responsible for deciding whether, and to whom, the case should be disclosed. ”
A spokesperson for Uber said the company continued to “fully cooperate” with the Justice Department’s investigation. The data breach has attracted close scrutiny from regulators in the United States as well as other countries including the United Kingdom, Australia, Italy and the Philippines.
“Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we run our business today: transparency, integrity and accountability,” Uber said in a statement.
In September 2018, Uber agreed to pay $ 148 million to settle a 2016 data breach investigation that the company was accused of intentionally covering up. The settlement, along with attorneys general for all 50 states and Washington, DC, was the largest multi-state data breach settlement on record, according to the New York attorney general at the time.
As part of the settlement, Uber agreed to develop and implement a corporate integrity program for employees to report unethical behavior. It also agreed to adopt a model for reporting data breaches and data security practices, as well as to hire an independent third party to assess its data security practices.
The investigation was called to investigate allegations that the rideshare company violated state-level notification laws by intentionally withholding that the violation had occurred.
Uber also previously settled a case with the FTC, which was investigating allegations that Uber deceived customers about the breach.
Sara O’Brien of CNN contributed to this report.