Skip to content

Photo by STR/NurPhoto via Getty Images

Former Uber CSO Joe Sullivan Convicted of Hiding Cyberattack

On Wednesday, a federal court convicted former Uber Technologies Inc. Chief Security Officer Joseph Sullivan of obstructing a federal investigation and failing to disclose a breach of Uber’s user records to government regulators.

The charges against Sullivan relate to his attempts to conceal a 2016 hack of Uber’s databases.

While Sullivan was serving as the company’s CSO, malicious actors informed him that they had accessed and downloaded a company database. The attack impacted 57 million passengers and drivers and disclosed personally identifying information (PII), including the driver’s license numbers of about 600,000 Uber drivers, according to the U.S. Department of Justice (DOJ).

Instead of informing the U.S. Federal Trade Commission (FTC), Sullivan paid off the attackers to keep quiet about the hack, disguising the $100,000 in Bitcoin payout through a bug bounty program.

“The hackers made clear early in their email correspondence with Uber that they expected a six-figure payout,” court documents said. “Email and text correspondence demonstrate that Sullivan and other considered using Uber’s bug bounty program to pay the hackers, even though that program had never awarded a bounty even close to $100,000 and had a nominal cap of $10,000.”

Sullivan, a former federal prosecutor, also failed to inform the persons whose PII was compromised about the data breach.

Sullivan had the attackers sign non-disclosure agreements, which falsely asserted that the data in the 2016 breach was never taken or stored, according to the DOJ. He devalued the severity of the incident to Uber’s CEO at the time, Travis Kalanick.

After investors forced Kalanick to resign in 2017, and the company’s new CEO—Dara Khosrowshahi—fired Sullivan and a company lawyer who was also aware of the incident upon becoming apprised about the full scope of the breach.

In a settlement agreement with U.S. prosecutors, the company accepted responsibility for hiding the attack and cooperated with federal prosecutors in the trial against Sullivan, who faced several charges.

A U.S. federal judge dismissed three wire fraud charges against Sullivan earlier this year.

A jury in the U.S. District Court for the Northern District of California found Sullivan guilty on one count of failing to report a felony and one count of obstruction of justice. The maximum penalty for failing to report the felony include up to three years in prison, a $250,000 fine, one year of supervised release, and a $100 special assessment, as well as restitution and forfeiture. The maximum penalty for obstruction of justice in a federal investigation includes a five-year prison sentence, $250,000 fine, three years of supervised release, and also a $100 special assessment, restitution, and forfeiture.

A sentencing hearing has not yet been scheduled.

“The case—believed to be the first time a company executive faced criminal prosecution over a hack—could change how security professionals handle data breaches,” The New York Times wrote. One security academic noted to the Times that this incident would likely impact various aspects of security, including who is tasked with what responsibilities, documentation, and bug bounty programs.

“Paying out the ransom I think is more common than we’re led to believe. There is an attitude that’s similar to a fender bender,” Michael Hamilton, founder of security firm Critical Insight, told the Washington Post.

Now that a corporate security executive has been found personally liable for a decision regarding ransom demands, others will have to take more time when faced with a similar dilemma, especially as ransomware attacks have recently increased.

(United States v. Joseph Sullivan, U.S. District Court for Northern District of California, No. 20-cr-00337, 2022)