The former chief security officer of Uber, Joseph Sullivan of Palo Alto, was sentenced May 5 to serve a three-year term of probation and ordered to pay a fine of $50,000.
The sentence was handed down by the U.S. District Judge William H. Orrick, following a conviction in a jury trial in October.
First Assistant U.S. Attorney Stephanie M. Hinds and FBI San Francisco Special Agent in Charge Robert K. Tripp said that while Sullivan, 54, was serving as chief security officer for Uber Technologies, Inc., Uber was under investigation by the Federal Trade Commission for a data breach that the San Francisco-based company had suffered in 2014.
The FTC’s Division of Privacy and Identity Protection, which is charged with overseeing issues related to consumer privacy and information security, among other things, ultimately investigated both the nature and circumstances of that 2014 data breach and Uber’s broader cybersecurity program.
Sullivan was hired soon after the FTC investigation launched, and he participated in Uber’s response to that investigation, including its efforts to comply with investigative demands issued by the FTC, prosecutors said. Among other things, Sullivan participated in a presentation to the FTC in March 2016 regarding Uber’s cybersecurity program, and he testified under oath in November 2016.
Testimony at Sullivan’s trial last October revealed that 10 days after his sworn FTC testimony, Sullivan learned that Uber had been hacked again. Furthermore, the hackers had exploited the same vulnerability that had led to the 2014 breach. Unlike the 2014 breach, however, the data stolen in 2016 was massive in scale and included records associated with approximately 57 million Uber users and drivers, according to trial testimony.
Despite having testified regarding that same security vulnerability and related issues ten days prior, Sullivan was accused of executing a scheme to prevent any knowledge of the breach from reaching the FTC.
In one instance, Sullivan told a subordinate that they “can’t let this get out” and stated that the breach would “play very badly based on previous assertions” to the FTC.
He also arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone. Those contracts, drafted by Sullivan and a lawyer assigned to his team, falsely represented that the hackers did not take or store any data in their hack.
Sullivan continued to work with the Uber lawyers handling or overseeing the FTC investigation, including the general counsel of Uber, but he withheld information about the breach from all of them, said prosecutors. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016 without disclosing the 2016 data breach to the FTC. As part of the negotiations, Sullivan learned that the FTC was relying on false information previously provided by Uber, but he failed to alert any of Uber’s lawyers or the FTC.
In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO what had happened, Sullivan lied about the circumstances of the breach, including by telling the CEO that the hackers did not steal any data. Sullivan lied again to Uber’s outside lawyers who were conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017.