The former chief security officer of Uber Technologies was found guilty of two felonies connected to allegations he covered up a massive data breach at the ridesharing company and misled federal regulators about Uber’s response.
Joseph Sullivan was convicted by a jury Wednesday of obstruction of justice and misprision of felony (concealment) in U.S. District Court for the Northern District of California. He faces up to five years in prison on the obstruction charge and three years on the misprision charge and will be sentenced at a later date, according to a Department of Justice (DOJ) press release.
“The message in today’s guilty verdict is clear: Companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said Robert Tripp, special agent in charge at the Federal Bureau of Investigation (FBI), in the release. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”
Sullivan was charged in 2020 for allegedly paying $100,000 in 2016 to hackers who successfully breached Uber’s data on 57 million of its users and drivers. The database included the license numbers for approximately 600,000 people who drove for Uber, federal prosecutors said.
Prosecutors alleged Sullivan took deliberate steps to “conceal, deflect, and mislead” the Federal Trade Commission (FTC) about the breach. The FTC was investigating the circumstances of a 2014 breach at Uber when the 2016 breach occurred. Instead of reporting the fresh breach to the FTC, Sullivan conspired to cover it up, prosecutors alleged.
Sullivan was hired in 2015, just a few months after the 2014 breach.
Regarding the 2016 breach, several former Uber executives testified Sullivan also kept them in the dark about important details on the company’s response to the breaches, like the existence of nondisclosure agreements the company signed with the hackers who caused the breach.
In 2017, Uber hired a new chief executive officer, Dara Khosrowshahi, who along with his management team began investigating facts surrounding the 2016 breach.
“When asked by Uber’s new CEO that [sic] had happened, Sullivan lied, falsely telling the CEO that the hackers had only been paid after they were identified and deleting from a draft summary prepared by one of his reports that the hack had involved personally identifying information and a very large quantity of user data,” the DOJ said in its release. “Sullivan lied again to Uber’s outside lawyers conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017.”
The two hackers who received the $100,000 and signed nondisclosure agreements pleaded guilty to computer fraud conspiracy charges in October 2019 and await sentencing, the DOJ said.