SAN FRANCISCO – The ex-chief security officer of Uber Technologies Inc. has been convicted of covering up a 2016 data breach involving 57 million of the San Francisco-based ride-hailing company’s users, according to the U.S. Attorney’s Office.
A jury on Wednesday found Joseph Sullivan guilty of obstruction of justice and misprision of felony, or having knowledge that a federal felony was committed and taking steps to conceal that crime, prosecutors said in a statement. He faces up to five years for the obstruction charge and up to three years for the misprision charge.
According to the U.S. Attorney’s Office, Sullivan was hired as Uber’s chief security officer in April 2015. The company at the time had recently disclosed to the Federal Trade Commission that it had been the victim of a data breach in 2014. The breach related to the unauthorized access of 50,000 customers’ personal information.
The FTC subsequently opened an investigation into Uber’s data security program and practices. In May 2015, a month after Sullivan was hired, the FTC served the company with a demand for information about any other instances of unauthorized access to user personal information as well as information regarding its broader data security program and practices.
Prosecutors said Sullivan played a key role in Uber’s response to the FTC – he supervised its responses to the FTC, participated in a presentation to the FTC in March 2016 and testified under oath on Nov. 6, 2016, regarding the company’s practices.
Ten days after he testified, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly via email on Nov. 14, 2016, and informed him and others at the company that they had stolen user data, according to the U.S. Attorney’s Office. The hackers also reportedly demanded a ransom to delete that data.
All told, the breach involved 57 million Uber users and 600,000 driver license numbers.
Prosecutors said Sullivan did not report the new data breach to the FTC, other authorities or users; he instead arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which they promised not to reveal the hack to anyone. The NDAs also reportedly contained the false representation that the hackers did not take or store any data in the hack. In December 2016, the company paid the hackers $100,000 in bitcoin despite their refusal to provide their true names.
Uber identified two of the hackers in January 2017 and made them sign new copies of the NDAs in their true names. According to the U.S. Attorney’s Office, Sullivan carried out the plan despite knowing that the hackers were hacking and extorting other companies and that the hackers had obtained data from some of them.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” U.S. Attorney Stephanie M. Hinds said in the statement. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers.
“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Hinds continued. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
In fall 2017, new management at Uber launched an investigation into the 2016 data breach. Prosecutors said Sullivan falsely told the CEO that the hackers had been paid only after they were identified. He also reportedly altered a report to downplay the severity of the breach and lied to lawyers brought in to conduct the probe.
The 2016 data breach was ultimately discovered and publicly disclosed by Uber in November 2017.
In addition to Sullivan, the two hackers identified by Uber were prosecuted. On Oct. 30, 2019, they pleaded guilty to computer fraud conspiracy charges and await sentencing.
Sullivan, meanwhile, remains free on bond pending a sentencing hearing, which has not been scheduled.