DAVID GREENE, HOST:
Former top executive at Uber is accused of concealing a massive hack that exposed the data of 57 million drivers and passengers. He was fired and now faces criminal charges. NPR's tech correspondent Shannon Bond reports. And just to note here, Uber is an NPR financial supporter.
SHANNON BOND, BYLINE: When Joe Sullivan learned that hackers had stolen huge amounts of data from Uber back in 2016, he didn't tell regulators, law enforcement or the public. Instead, federal prosecutors allege Uber's chief security officer tried to hide it. Here's U.S. Attorney David Anderson, who filed the charges against Sullivan in federal court in Northern California.
DAVID ANDERSON: We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.
BOND: To keep the incident under wraps, prosecutors say Sullivan arranged for Uber to pay the hackers $100,000. And he had them sign nondisclosure agreements saying falsely that they never stole any data. That payment was made through Uber's bug bounty program. Many tech companies have similar programs offering rewards to so-called white hat hackers that test their systems for vulnerabilities. But Anderson says this payment was not a bug bounty. It was a cover-up.
ANDERSON: The problem isn't with a legitimate bug bounty. The problem is that this hush money payment was not a bug bounty. That's the problem.
BOND: Uber did eventually disclose the breach and fire Sullivan but not until a year later. Two men pleaded guilty to the hack last year. Now Sullivan is charged with obstructing justice and concealing a felony. A spokesman for Sullivan says there's no merit to the charges. He says it was up to Uber's legal team to report the breach. Uber says it's cooperating with the investigation. If he's convicted, Sullivan could face up to eight years in prison and $500,000 in fines.
Shannon Bond, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.