A federal jury has found Joe Sullivan, former CSO of Uber, guilty of covering up a data breach the company suffered in 2016.
The breach saw 57 million user’s information including full names, email addresses, telephone numbers and driver’s license numbers exposed, and led to Uber paying US$148,000 to settle civil litigation.
Sullivan was convicted on October 5 of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony in connection with attempting to cover up the hack.
In November 2014, Uber suffered a data breach that exposed the personal information of 50,000 customers. As this hack was disclosed to the FTC, Uber’s data security practices were investigated. In May 2015, Uber was served a Civil Investigative Demand by the FTC. The demand required Uber to give extensive information on its data security practices as well as detailed information on any other occasions where unauthorized parties had gained access to confidential user information.
Sullivan’s actions during the FTC investigation
The Department of Justice (DOJ) said in a statement that it was demonstrated that Sullivan played a significant part in Uber’s response to the FTC, including “supervis[ing] Uber’s responses to the FTC’s questions, participat[ing] in a presentation to the FTC in March 2016, and testify[ing] under oath…to the FTC on November 4, 2016, regarding Uber’s data security practices…includ[ing] specific representations about steps he claimed Uber had taken to keep customer data secure”.
Ten days after his testimony, Sullivan learned that the data breach had taken place, as he was contacted directly by the hackers on November 14, 2016.
Evidence at the trial demonstrated that Sullivan actively tried to keep knowledge of the breach reaching the FTC, including telling a subordinates that information about the hack was to be “tightly controlled” and that they “can[not] let this get out”. He also told employees outside of the security team that the official line to the rest of the business was “this investigation does not exist”.
Sullivan attempted to pay the two hackers $100,000 to sign a non-disclosure agreement which, according to the DOJ, “contained the false representation that the hackers did not take or store any data”. Uber paid the hackers $100,000 in Bitcoin in December 2016, despite not knowing their true identities. In January 2017, Uber discovered their identities and the hackers signed a new version of the original non-disclosure agreement which contained their true names. Both hackers were prosecuted and pleaded guilty in October 2019 to charges of computer fraud conspiracy. They are currently awaiting sentencing.
Sullivan concealed the breach
Despite this information being crucial to the FTC investigation, evidence showed that Sullivan did not disclose any information about the cyber security incident to Uber’s lawyers who were handling the investigation, nor to the General Counsel of Uber. The initial investigation was settled in summer of 2016, without Sullivan mentioning the breach.
In 2017, Uber began investigating the 2016 breach. During the investigation, Sullivan lied to the new CEO of Uber, Dara Khosrowshahi, telling him that the hackers were only paid after their identities were revealed. He also deleted information from a draft of a report on the breach that it involved the exposure of a large amount of personal information of a large number of Uber customers. The breach was eventually discovered and disclosed to both the FTC and the general public in November 2017.
At the trial, the jury found Sullivan guilty of obstruction of justice and misprision of felony. He faces a maximum of five years in prison for obstruction and a maximum of three years for misprision. He remains free on bond and will be sentenced at a later date, yet to be set.