The Uber Cover-Up
Uber's CSO paid the attackers a hundred thousand dollars through the bug-bounty program and called it a 'security research' payment. A jury later disagreed.
In October 2016, attackers obtained a hardcoded credential from a private Uber GitHub repository, used it to access an Amazon S3 bucket, and pulled the personal information of roughly fifty-seven million drivers and riders. The technical mechanics were unremarkable. What followed was not.
A bug-bounty payment
Uber's chief security officer at the time, Joe Sullivan, negotiated with the attackers, paid them a hundred thousand dollars in Bitcoin through the company's HackerOne bug-bounty program, and obtained signed NDAs in exchange. The payment was logged as a bug-bounty disbursement. The attackers were treated, on paper, as security researchers.
The decision was made without notifying state attorneys general, who under US data-breach notification laws had a clear right to know. Uber did not disclose the breach publicly for more than a year.
A criminal conviction for the CSO
When new Uber leadership took over in 2017, the company disclosed the incident, fired Sullivan, and paid a $148 million settlement to all fifty US states. The Justice Department went further. In 2022, Sullivan was convicted of obstruction of justice and misprision of a felony — the first criminal conviction of a US chief security officer for handling of a breach disclosure.
What the chronicle remembers
Uber 2016 redrew the legal map for the CSO role. The case is now standard reading in corporate-counsel briefings on breach response, and the line between a legitimate bug-bounty payment and an extortion settlement is discussed in much sharper terms than it was before Sullivan's indictment.