Uber Exec Allegedly Concealed 2016 Hack With $100K BTC ‘Bug Bounty’ Pay-Off

Published at: Aug. 21, 2020

Joseph Sullivan, a former Chief Security Officer at Uber, allegedly tried to cover up a 2016 hack of sensitive data by funneling a hush money payment of $100,000 in Bitcoin through a bug bounty program.

The hackers had obtained the drivers’ license numbers of roughly 600,000 Uber drivers as well as private information for roughly 57 million users.

According to an Aug. 20 announcement from the U.S. Department of Justice (DoJ), Sullivan has been charged with obstruction of justice and misprision of a felony in connection with the 2016 hack. The former CSO is accused of taking “deliberate steps to conceal, deflect, and mislead” the Federal Trade Commission (FTC) regarding the data breach and the associated $100,000 Bitcoin (BTC) hush money payment.

The DoJ accused him of preventing knowledge of the breach from being reported to the FTC by funneling the Bitcoin hush money through a bug bounty program. Ordinarily such programs are used for legitimate payments to ‘white hat’ hackers who report on a company’s security issues, not those who actually obtain unauthorized data.

“We will not tolerate illegal hush money payments,” said U.S. Attorney David Anderson. “Silicon Valley is not the Wild West.”

The agency also alleges Sullivan tried to conceal the company’s involvement in the breach by asking the hackers to sign non-disclosure agreements falsely stating they had not obtained any personal data from Uber — even while they were anonymous. When an investigation unmasked two of the individuals responsible for the breach, the DoJ alleges Sullivan still asked for the hackers to sign NDAs rather than report them.

Bradford Williams, a spokesman for Sullivan, said “there is no merit to the charges” in a statement to Cointelegraph.

“From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies,” Williams stated. “Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed."

Two of the hackers involved in the Uber breach pleaded guilty to charges of computer fraud conspiracy in October and are now awaiting sentencing.

Companies are increasingly being forced to deal directly with cyber criminals — though most remain within the law while doing so. Representatives from U.S.-based corporate travel firm CWT were able to negotiate a 50% discount from hackers demanding a $10 million payment after they stole sensitive files from the company in July.

More recently, the University of California conducted a week-long negotiation with a NetWalker ransomware group after it shut down seven of the institution’s servers. The university was able to convince the group to come down from $3 million to $1 million using respectful and flattering language in their chats.

Tags
Related Posts
Uber Exec Denies Bitcoin Hush Money Charges
A spokesperson claims “there is no merit” to allegations against former Uber Chief Security Officer Joseph Sullivan, who is now facing charges of obstruction of justice and misprision of a felony. The Department of Justice (DoJ) alleges Sullivan tried to conceal the theft of private information for roughly 57 million users in a hack of Uber. It accused Sullivan of taking “deliberate steps to conceal, deflect, and mislead” the Federal Trade Commission (FTC) by funneling a hush money payment of $100,000 in Bitcoin (BTC) through a bug bounty program. But in a statement to Cointelegraph, communications strategist Bradford Williams claimed …
Regulation / Aug. 21, 2020
Japanese police are investigating 30 people allegedly involved in the 2018 Coincheck hack
Authorities in Japan are reportedly targeting individuals for their alleged involvement in the January 2018 hack of the Coincheck crypto exchange. According to a Jan. 22 report from Japanese news outlet Nikkei Asia, police have arrested or referred roughly 30 people in Japan to the local prosecutors’ office for their alleged role in hacking one of the country’s cryptocurrency exchanges. In January 2018, hackers stole roughly $534 million worth of NEM (XEM) from Coincheck in what was — and still is — the largest hack of a crypto exchange. Nikkei Asia claims that according to an unnamed source, investigators "traced …
Regulation / Jan. 21, 2021
Bithumb found ‘partially liable’ for a 2017 hacking incident
A judge in the Seoul Central District Court dismissed two claims filed by individuals against the controversial crypto exchange, Bithumb. The individuals were seeking $126,000 and $38,000 respectively for damages related to a data breach incident back in 2017. According to Fn News, plaintiffs Hong and Seo (both named only by their surname) stated that they had lost money due to a phishing attack using private data that was extracted in a hack of Bithumb. The third claimant, Jang, was granted $5,000 to cover his total loss. This amount reflects a much lower dollar value than his initial $27,200 claim. …
Bitcoin / Sept. 3, 2020
$39M of Bitcoin Stolen in 2016 Bitfinex Hack Is on the Move
Some of the 119,756 Bitcoin that was stolen from crypto exchange Bitfinex in 2016 has started moving again. According to a series of tweets posted by Whale Alert on July 27-28, wallet addresses known to be associated with one of the largest breaches ever of a crypto exchange moved 3503 Bitcoin (BTC) — worth roughly $38.7 million — over 12 transactions. The largest individual movement was of 476.32 BTC, or approximately $5.2 million, while the smallest was 2.612703 BTC, or $28,849. Slowly moving billions in crypto To date, the hackers responsible for the Bitfinex breach have moved only 1-2% of …
Bitcoin / July 28, 2020
DeFi exploits and access control hacks cost crypto investors billions in 2022: Report
Cyber criminals used a variety of novel ways to carry out hacks and exploits in 2022, with over $2.8 billion of cryptocurrency stolen last year. According to a report from CoinGecko using data sourced from DeFiYield’s REKT Database, nearly half of the total crypto stolen in 2022 was fleeced using diverse methods. This includes bypassing verification processes, market manipulation, ‘crowd looting’ as well as smart contract and bridge exploits. The biggest hack of 2022 was carried out through an access control hack. Sky Mavis, the developer behind popular game Axie Infinity, saw its Ronin bridge hacked in March 2022, leading …
Blockchain / Feb. 13, 2023