Ex-Uber security head convicted guilty of impeding FTC investigation into data leak

The former chief security officer of Uber Technologies was convicted guilty of two crimes in connection with claims that he covered up a significant data breach at the ridesharing company and deceived federal regulators about Uber's reaction.

In U.S. District Court for the Northern District of California, a jury on Wednesday found Joseph Sullivan guilty of misprision of crime (concealment) and obstruction of justice. According to a Department of Justice (DOJ) news statement, he will be sentenced later and faces up to five years in prison for obstruction and three years for misprision.

According to Robert Tripp, special agent in charge at the Federal Bureau of Investigation (FBI), "The message in today’s guilty verdict is clear: Companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur. The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain."

For reportedly paying $100,000 to hackers who successfully stole the data of 57 million Uber customers and drivers in 2016, Sullivan was accused in 2020. According to federal authorities, the database contained the license numbers for almost 600,000 individuals who worked as Uber drivers.

The Federal Trade Commission (FTC) violation was allegedly "concealed, deflected, and misled" by Sullivan, according to the prosecution. When the 2016 hack happened, the FTC was looking into the facts surrounding a 2014 breach at Uber. Prosecutors said that Sullivan plotted to conceal the new breach rather than disclosing it to the FTC.

Just a few months after the 2014 breach, Sullivan was hired.

Several former Uber executives who testified about the 2016 breach claimed that Sullivan also kept them in the dark about crucial information regarding the company's response to the breaches, such as the existence of nondisclosure agreements the company had signed with the hackers who were responsible for the breach.

Uber appointed Dara Khosrowshahi as its new CEO in 2017, and he and his management team have since started looking into the circumstances surrounding the 2016 data leak.

"When asked by Uber’s new CEO that [sic] had happened, Sullivan lied, falsely telling the CEO that the hackers had only been paid after they were identified and deleting from a draft summary prepared by one of his reports that the hack had involved personally identifying information and a very large quantity of user data," the DOJ said in a statement. "Sullivan lied again to Uber’s outside lawyers conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017."

The two hackers who got the $100,000 and agreed to nondisclosure agreements entered into a plea deal in October 2019 and are currently awaiting sentence, according to the DOJ.

By fLEXI tEAM