Mr. Sullivan was “visibly shaken” when he learned of the hack and told others that he “could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out,” according to court documents.
At the time, the Federal Trade Commission was investigating Uber in connection with a similar data breach that had occurred two years earlier. But even though he was aware of the F.T.C. inquiry and spoke under oath with investigators, Mr. Sullivan did not inform F.T.C. officials about the 2016 hack, prosecutors said. He also kept information about the incident from Uber employees who were responsible for communicating with the F.T.C. about the earlier incident, according to court documents.
Uber attempted to handle the incident quietly through its so-called bug bounty program. Technology companies often pay bounties to security researchers who discover and report flaws in their software. But bug bounty experts questioned whether the payment Uber gave to the hackers fell within the ethical boundaries of such programs, which are designed to induce people to report security flaws so they can be fixed.
In October, Brandon Glover, a Florida resident, and Vasile Mereacre, a Canadian national, pleaded guilty to the hack. They could each face a maximum of five years in federal prison and are expected to be sentenced next year.
Uber did not disclose the breach until 2017, after its former chief executive, Travis Kalanick, was ousted by investors and replaced by Dara Khosrowshahi, Uber’s current chief.
Mr. Khosrowshahi fired Mr. Sullivan and Uber’s legal director of security and law enforcement, Craig Clark, who had helped oversee the response to the security incident.
“We continue to cooperate fully with the Department of Justice’s investigation,” said Matt Kallman, an Uber spokesman. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity and accountability.”