By Robert McMillan
Uber Technologies Inc.'s former chief security officer, Joe Sullivan, was charged Thursday for allegedly concealing from federal authorities details about the massive data breach the ride-hailing giant suffered in 2016.
Mr. Sullivan, a former federal prosecutor who is now chief security officer at internet services company Cloudflare Inc., was fired by Uber in 2017 for his role in the data breach, which affected 57 million accounts.
At the time, Uber said Mr. Sullivan paid $100,000 to hackers via the company's bug-bounty program, in an effort to conceal the breach.
Prosecutors say Mr. Sullivan concealed the breach even as the Federal Trade Commission was investigating a 2014 data breach at Uber. "We expect prompt reporting of criminal conduct," U.S. Attorney David L. Anderson said in a statement, adding that "we will not tolerate corporate coverups. We will not tolerate illegal hush-money payments."
Mr. Sullivan was charged in San Francisco on charges of obstruction of justice and failing to report a crime, the Department of Justice said in a press release. Mr. Sullivan faces up to five years in prison if found guilty of obstructing justice.
A spokesman for Mr. Sullivan said there was no merit to the charges. "From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber," the spokesman said in a statement. "Those policies made clear that Uber's legal department -- and not Mr. Sullivan or his group -- was responsible for deciding whether, and to whom, the matter should be disclosed."
The charges against Mr. Sullivan are unusual, said Randy Gainer, a retired lawyer who formerly specialized in data-breach law. While chief security officers often take the blame for the missteps that lead to a breach, "I'm not aware of another incident where a security officer has been criminally charged," Mr. Gainer said. But just as unusual, he said, was Mr. Sullivan's apparent decision to not report the incident even after hackers had allegedly accessed the data.
Uber has said the hack exposed the names, emails and phone numbers of millions of riders, and about 600,000 drivers' license numbers. The company, when it disclosed the hack, said financial information such as credit cards and Social Security numbers weren't taken and that it had identified the hackers and obtained assurances they had destroyed the stolen data.
Uber continues to cooperate fully with the Justice Department's investigation, a company spokesman said in an emailed statement.
Dealing with the aftermath of the hack came at a tumultuous time for Uber. Dara Khosrowshahi had only recently taken over as chief executive after a year of controversies and missteps that took place under his predecessor and Uber co-founder Travis Kalanick. Uber in 2017 also fired its top driverless-car executive, Anthony Levandowski, whom Google parent Alphabet Inc. had accused of intellectual-property theft. The former Uber and Google executive this month was sentenced to 18 months on one count of stealing trade secrets.
When the 2016 hack took place, Uber was already under scrutiny by the FTC over a data breach two years earlier. Mr. Sullivan, at the time, was involved in answering the regulator's questions about the 2014 incident and then tried to cover up the latest incident with the payment made via the digital currency bitcoin, the Justice Department said.
After being approached in 2016 by hackers demanding a six-figure payout, Uber's security team soon concluded that the hackers were able to access Uber's data in "almost the identical manner the 2014 attacker had used," prosecutors said in court filings.
The two hackers accessed Uber's data by first using stolen credentials on the software-development site GitHub to gain access to Uber's source code. There they found the digital keys that were necessary to download the company's data, prosecutors say.
Instead of refusing the extortion payment and disclosing the breach, Mr. Sullivan elected to pay the hackers through Uber's bug-bounty program and forced them to sign non-disclosure agreements, prosecutors say. The two men pleaded guilty to hacking charges last year, the Justice Department said.
Uber didn't disclose any of these details of the 2016 breach to the FTC, and instead claimed that it had made a number of significant improvements to its data security since the 2014 incident, prosecutors say. "Uber relied on these supposed improvements in arguing that the FTC should not bring a claim against the company," prosecutors state.
An FTC spokeswoman declined to comment on the charges against Mr. Sullivan.
Cloudflare's chief executive, Matthew Prince, said on Twitter that he hoped the matter would be resolved quickly.
Write to Robert McMillan at Robert.Mcmillan@wsj.com