Law Street Media

Uber’s Former Head of Security Found Guilty of Concealing Hack and Data Breach From Authorities

Warsaw, Poland - April 30, 2019: View on Uber car (Skoda) with inscription on the street before sunset

Joseph Sullivan, the former Chief Security Officer of Uber Technologies Inc., was found guilty of two crimes, obstruction of a 2016 agency proceeding before the Federal Trade Commission (FTC) and misprision of felony by jury verdict returned on Wednesday. The San Francisco, Calif. jury came to the decision after a several week-long trial concerning Sullivan’s involvement in the ride hailing company’s concealment of a 2016 cybersecurity breach.

The case against Sullivan, Uber’s CSO from April 2015 to November 2017, began in August 2020 when the federal government accused him of concealing the fact that hackers stole the names and driver’s license numbers of approximately  600,000 Uber drivers and some personal information associated with 57 million Uber users and drivers. This July, Uber admitted fault and paid a $148 million fine to the FTC for dually hiding it and failing to timely report it.

As relevant to Sullivan’s case, the federal government said that he attempted to keep news of the hack from getting out by directing his team to keep it under wraps and classifying the incident as a bug bounty claim rather than a data breach. Pursuant to the bounty program, the hackers were paid $100,000 in bitcoin, the largest ever bounty paid by Uber, and required to sign non-disclosure agreements containing statements falsely claiming that the hackers did not take control of sensitive data.

In addition, when Uber brought in a new CEO in 2017, Sullivan reportedly lied to him about the circumstances of the breach. Ultimately, the government’s investigation showed that Sullivan “engaged in a scheme to withhold and conceal from the FTC both the hack itself and the fact that the data breach had resulted.” 

Three claims for wire fraud were dismissed this August, leaving the obstruction and misprision of a felony charge in place. As to the latter, the jury instructions posited whether there was an unauthorized computer intrusion, whether Sullivan failed to notify a federal authority as soon as possible, and whether he committed an affirmative act to conceal the crime.

The jury found Sullivan guilty of both charges. Obstruction carries a maximum of five years in prison and misprision carries a maximum of three, while both carry up to six-figure fines.

A sentencing hearing has not yet been scheduled. Sullivan is represented by the Angeli Law Group LLC.

Exit mobile version