Uber‘s former chief security officer Joseph Sullivan was charged with covering up a 2016 data breach that comprised the personal information of 57 million drivers and users.
Rather than report the breach to the Federal Trade Commission, which was investigating an earlier hack at the company, Sullivan paid the hackers $100,000 in Bitcoin, according to a statement Thursday from U.S. Attorney David L. Anderson in San Francisco. Sullivan is charged with obstruction of justice and failing to report his knowledge of a felony.
“Silicon Valley is not the Wild West,” Anderson said in the statement. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments.”
A spokesperson for Sullivan said there’s no merit to the charges.
“This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world’s foremost security experts, Mr. Sullivan included,” Bradford Williams said in an email. “If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all.”
Sullivan, 52, joined Uber in 2015. He started his career as a federal prosecutor in computer hacking and intellectual property law. He’s been a quiet fixture of Silicon Valley for more than a decade, with stints at PayPal and EBay Inc. before becoming the chief security officer at Facebook in 2008.
The U.S. attorney’s office didn’t immediately respond to a request for information about who is representing Sullivan in the criminal case.
”We continue to cooperate fully with the Department of Justice’s investigation,” an Uber spokesperson said in a statement. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability.”
Sullivan was contacted by one of the hackers in November 2016, about 10 days after he had given testimony in an FTC inquiry about Uber’s cyber security related to a 2014 data breach, according to the U.S. attorney’s statement. He didn’t disclose the new hack to the FTC and sought to pay off the hackers through a bounty program that rewards “white hat” hackers who let a company know about security flaws without stealing data.
The two hackers behind the 2016 breach pleaded guilty last year to computer fraud conspiracy charges. They both targeted and hacked other technology companies after Sullivan failed to alert law enforcement about the 2016 Uber hack, according to Anderson’s statement.
Williams said in his statement that Sullivan and his team collaborated closely with others at Uber and followed written policies.
“Those policies made clear that Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed,” according to the statement.
More must-read tech coverage from Fortune:
- ‘It’s clicks versus bricks’: Why tech stocks won’t be fading anytime soon
- Samsung Note20 Ultra review: Why this big phone works for the COVID era
- Facebook and NYU researchers discover a way to speed up MRI scans
- The U.S. Postal Service is seeking a patent for voting by phone
- Electric-vehicle startup Canoo to go public, joining the wave of companies chasing Tesla’s success