OAKLAND, Calif. — Uber’s former security chief was charged on Thursday with attempting to conceal from federal investigators a hack that exposed the email addresses and phone numbers of 57 million drivers and passengers.
The criminal charges filed in U.S. District Court in San Francisco against Joe Sullivan, 52, are believed to be the first against an executive stemming from a company’s response to a security incident.
But the charges drew an important distinction between failing to protect Uber’s computer network and failing to tell the authorities about it. Prosecutors said that Mr. Sullivan committed two felonies when he didn’t disclose the 2016 incident to federal investigators who were already investigating a similar data breach that had occurred two years earlier.
“When a company like Uber gets hacked, we expect good corporate citizenship, we expect prompt disclosure to the employee and consumer victims in that hack. In this case, what we saw was the exact opposite of good corporate behavior,” said David Anderson, the U.S. attorney in San Francisco, in an interview.
If convicted on both charges, Mr. Sullivan could face up to eight years in prison. He is the second Uber employee to face federal charges related to his work at Uber, which for years cultivated a reputation for pushing legal boundaries as it established itself as the leading ride-hailing company. Anthony Levandowski, a former Uber engineer, was sentenced last month to 18 months in prison for stealing self-driving car trade secrets from Google.
Mr. Sullivan became Uber’s chief security officer in 2015 after leading cybersecurity efforts at Facebook. He led the ride-hailing company’s security work until he was fired in 2017 when his handling of the data breach, which also exposed the license numbers for about 600,000 drivers, was discovered by Uber’s newly appointed chief executive.
A spokesman for Mr. Sullivan, who is now the chief information security officer at the internet company Cloudflare, said Mr. Sullivan had acted with the approval of Uber’s legal department and there was no merit to the charges against him.
“If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” said Bradford Williams, the spokesman. He added that “Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”
In a 2018 statement about the breach, Mr. Sullivan said, “I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up.”
In 2016, hackers discovered a way to access Uber’s user data and quickly stole a copy of it. Uber found out when the hackers emailed the company and said they had acquired users’ personal information. They demanded money. Mr. Sullivan and other Uber employees negotiated a $100,000 payment and convinced the hackers to sign nondisclosure agreements.
Mr. Sullivan was “visibly shaken” when he learned of the hack and told others that he “could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out,” according to court documents.
At the time, the Federal Trade Commission was investigating Uber in connection with a similar data breach that had occurred two years earlier. But even though he was aware of the F.T.C. inquiry and spoke under oath with investigators, Mr. Sullivan did not inform F.T.C. officials about the 2016 hack, prosecutors said. He also kept information about the incident from Uber employees who were responsible for communicating with the F.T.C. about the earlier incident, according to court documents.
Uber attempted to handle the incident quietly through its so-called bug bounty program. Technology companies often pay bounties to security researchers who discover and report flaws in their software. But bug bounty experts questioned whether the payment Uber gave to the hackers fell within the ethical boundaries of such programs, which are designed to induce people to report security flaws so they can be fixed.
In October, Brandon Glover, a Florida resident, and Vasile Mereacre, a Canadian national, pleaded guilty to the hack. They could each face a maximum of five years in federal prison and are expected to be sentenced next year.
Uber did not disclose the breach until 2017, after its former chief executive, Travis Kalanick, was ousted by investors and replaced by Dara Khosrowshahi, Uber’s current chief.
Mr. Sullivan and Mr. Levandowski, the former engineer convicted of stealing trade secrets, were close to Mr. Kalanick. On the night Mr. Sullivan learned of the breach, Mr. Kalanick texted him, “Resources can be flexible in order to put this to bed but we need to document this very tightly,” according to court documents.
Mr. Khosrowshahi fired Mr. Sullivan and Uber’s legal director of security and law enforcement, Craig Clark, who had helped oversee the response to the security incident.
“We continue to cooperate fully with the Department of Justice’s investigation,” said Matt Kallman, an Uber spokesman. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity and accountability.”
The criminal charges against Mr. Sullivan are the latest in a string of legal entanglements stemming from the 2016 breach.
In 2018, the F.T.C. broadened a prior settlement it had reached with the company. Uber also paid $148 million to settle an investigation into the hack brought by several state attorneys general. Uber was also fined approximately $1.2 million by British and Dutch regulators in connection with the breach.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” Xavier Becerra, California’s attorney general, said in a statement after finalizing the 2018 settlement.
Companies often face government investigations after their systems are hacked, and civil penalties against companies that do not promptly disclose these incidents are common.
But legal experts said that criminal charges against companies or their executives related to the handling of a breach are usually peripheral to the actual incident.
Two Equifax executives were convicted of insider trading after using their knowledge of a 2017 breach at the consumer credit reporting agency to sell their shares in the company. One was sentenced to four months in prison while another faced eight months of home confinement.
In 2018, Yahoo paid a $35 million fine to the Securities and Exchange Commission after failing to disclose a 2014 data breach. The Justice Department also investigated Yahoo’s failure to disclose but did not bring any charges.