Former Uber CSO, Joe Sullivan, has been sentenced to three years’ probation for his involvement in covering up a data breach in 2016 that affected 57 million Uber users.
Sullivan was convicted on October 5 of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony in connection with his attempts to cover up the hack.
US district judge William Orrick sentenced Sullivan on May 4 to three years’ probation and 200 hours of community service, noting that Sullivan has previously worked to protect people from the crimes he was charged with covering up. Orrick also said that Sullivan’s actions helped stop the private data that was stolen from becoming exposed.
Orrick also said that he believed that former Uber CEO Travis Kalanick was equally responsible for the concealment of the data breach. Kalanick has not been charged for his alleged involvement.
Sullivan said of his actions: “I was a bad role model. We’re there to be the champion of the customer, and I failed in this case.”
The 2016 Uber hack and attempted cover-up
In November 2014, Uber suffered a data breach that exposed the personal information of 50,000 customers. As this hack was disclosed to the FTC, Uber’s data security practices were investigated. In May 2015, Uber was served a Civil Investigative Demand by the FTC. The demand required Uber to give extensive information on its data security practices as well as detailed information on any other occasions where unauthorized parties had gained access to confidential user information.
The Department of Justice (DOJ) said that evidence demonstrated that Sullivan played a significant part in Uber’s response to the FTC, including “supervis[ing] Uber’s responses to the FTC’s questions, participat[ing] in a presentation to the FTC in March 2016, and testify[ing] under oath…to the FTC on November 4, 2016, regarding Uber’s data security practices…includ[ing] specific representations about steps he claimed Uber had taken to keep customer data secure”.
Ten days after his testimony, Sullivan learned that the data breach had taken place, as he was contacted directly by the hackers on November 14, 2016.
Evidence at the trial demonstrated that Sullivan actively tried to keep knowledge of the breach from reaching the FTC, including telling a subordinate that information about the hack was to be “tightly controlled” and that they “can[not] let this get out”. He also told employees outside of the security team that the official line to the rest of the business was “this investigation does not exist”.
Sullivan attempted to pay the two hackers $100,000 to sign a non-disclosure agreement which, according to the DOJ, “contained the false representation that the hackers did not take or store any data”. Uber paid the hackers $100,000 in Bitcoin in December 2016, despite not knowing their true identities. In January 2017, Uber discovered their identities and the hackers signed a new version of the original non-disclosure agreement which contained their true names. Both hackers were prosecuted and pleaded guilty in October 2019 to charges of computer fraud conspiracy. They are currently awaiting sentencing.
Sullivan’s concealment of the breach
Despite this information being crucial to the FTC investigation, evidence showed that Sullivan did not disclose any information about the cyber security incident to Uber’s lawyers who were handling the investigation, nor to the General Counsel of Uber. The initial investigation was settled in summer of 2016, without Sullivan mentioning the breach.
In 2017, Uber began investigating the 2016 breach. During the investigation, Sullivan lied to the new CEO of Uber, Dara Khosrowshahi, telling him that the hackers were only paid after their identities were revealed. He also deleted information from a draft of a report on the breach that said it involved the exposure of a large amount of personal information from a large number of Uber customers. The breach was eventually discovered and disclosed to both the FTC and the general public in November 2017.