A federal jury convicted Joseph Sullivan, the former chief security officer of Uber Technologies, Inc., of obstruction of proceedings of the Federal Trade Commission in connection with his attempted cover-up of a 2016 hack of Uber data from 57 million Uber users, including 600,000 driver license numbers.
The Wednesday announcement by U.S. Attorney Stephanie M. Hinds and FBI San Francisco Special Agent in Charge Robert K. Tripp followed a four-week trial before District Judge William H. Orrick.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said Hinds in a statement. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers.”
“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught.”
“The message in today’s guilty verdict is clear: Companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said Tripp.
In a press release, Hinds said Sullivan’s violations of the law involve two separate hacks of Uber’s databases—one in 2014 and another in 2016.
Sullivan was hired as Uber’s Chief Security Officer in April 2015, prosecutors said. At that time, Uber had recently disclosed to the FTC that it had been the victim of a data breach in 2014 and that the breach related to the unauthorized access of approximately 50,000 consumers’ personal information, including their names and driver’s license numbers.
In the wake of that disclosure, the FTC’s Division of Privacy and Identity Protection embarked on an investigation of Uber's data security program and practices. In May 2015, the month after Sullivan was hired, the FTC demanded information about any other instances of unauthorized access to user personal information and information regarding Uber’s broader data security program and practices.
Prosecutors said Sullivan, in his new role at Uber, played a central role in the company's response to the FTC. They said he testified under oath to the FTC on November 2016, regarding Uber’s data security practices, including specific steps he claimed Uber had taken to keep customer data secure.
Ten days after his FTC testimony, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly, via email, and informed Sullivan and others at Uber that they had stolen a significant amount of Uber user data, and they demanded a large ransom payment from Uber in exchange for their deletion of that data.
Employees working for Sullivan quickly verified the accuracy of these claims and the massive theft of user data, which included records on approximately 57 million Uber users and 600,000 driver license numbers.
Hinds said that Sullivan led a scheme to prevent any knowledge of the breach from reaching the FTC, claiming that “this investigation does not exist.” Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack.
Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers had refused to provide their true names.
Uber was ultimately able to identify the two hackers in January 2017 and required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else.
“Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies,” Hinds said in the press release.
“The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them,” she said.
Uber ultimately entered into a preliminary settlement with the FTC in summer 2016, supported fully by Sullivan, without disclosing the 2016 data breach to the FTC.
In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach, and prosecutors said Sullivan lied to the new CEO and company lawyers about the hackers.
The two hackers identified by Uber were ultimately prosecuted on federal charges, and pleaded guilty.
In finding Sullivan guilty, the jury concluded he obstructed justice and that he committed “misprision of felony – he knew that a federal felony had been committed and took steps to conceal that felony.
He faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge. Sullivan remains free on bond pending sentencing. His sentencing will be set at a later date.