Former Uber chief security officer Joe Sullivan has been found guilty of charges that he covered up a 2016 cyberattack where a hacker downloaded the personal information of more than 57 million people. The information stolen from Uber included names, email addresses, and phone numbers for more than 50 million Uber riders and 7 million drivers, as well as driver’s license numbers for another 600,000 drivers.
As reported by the New York Times and Washington Postthe jury convicted Sullivan on two counts: one for obstructing justice by not revealing the breach to the FTC and another for misprision, which is concealing a felony from the authorities.
This is believed to be the first time a company executive faced criminal prosecution over a hack.
He’d faced three counts of wire fraud, but prosecutors dismissed those charges in August. Sullivan had served as a security executive at other companies, including Facebook and Cloudflare, and, as the Post points out, in this case, he was pitted against the same San Francisco US attorney’s office where he had previously worked prosecuting cybercrimes.
The hack itself was described by the prosecution in their original complaint (PDF), noting that it almost exactly mirrored a 2014 breach of Uber that, at the time of the incident, the FTC was already investigating the company over. As the trial began in September, Uber’s systems were breached again in a hack linked to an alleged former member of the Lapsus$ ransomware group, forcing it to temporarily take some internal systems offline.
The 2016 breach occurred when two outsiders trawling Github found credentials giving them access to Uber’s Amazon Web Services (AWS) storage, which they used to download its database backups. The hackers then contacted Uber and negotiated a ransom payment in exchange for a promise to delete the stolen information, paid out in $100,000 worth of Bitcoin, and treated as part of the company’s Bug Bounty program. They eventually pleaded guilty to hacking the company in 2019.
Uber’s new CEO tested he “could not trust” his chief security officer.
As the Times notes, this is believed to be the first time a company executive faced criminal prosecution over a hack. Sullivan’s conviction could change how companies that quietly pay ransoms to hackers respond to similar incidents. The prosecutors showed evidence that Sullivan shared details of the hack and payment with then-Uber CEO Travis Kalanick, as well as the company’s chief privacy lawyer. They also claimed he didn’t reveal it to Uber’s general counsel and said that later he didn’t expose the true scope of the incident to its new CEO, Dara Khosrowshahi.
Bloomberg reports that prosecutors argued Sullivan didn’t reveal the attack to protect his reputation, as he was supposed to have improved Uber’s security after joining the company in 2015. It also reported that Sullivan faces up to eight years in prison but is “likely” to have a far shorter sentence.
Under Khosrowshahi, Uber eventually fired Sullivan, publicly admitted the breach, paid $148 million in civil litigation over the breach to all 50 states, and settled its case with the prosecutors this past July, promising “full cooperation” in the criminal case against Sullivan. On September 16th, Khosrowshahi tested against him, saying, “He was my chief security officer, and I could not trust his judgment anymore.” In 2018, after the breach was revealed, Uber cut a deal with the FTC promising to maintain a privacy program for 20 years and “to report to the FTC any incident reported to other government agencies relating to unauthorized intrusion into individuals’ consumer information.”
Sullivan’s lawyers argued that his actions were taken to prevent a leak of users’ data, that he informed the CEO and others who weren’t charged for the incident, and that his team eventually identified the hackers and got them to sign NDAs under their real promising names not to leak the information. In a statement given to the Times, Sullivan’s lawyer David Angeli said, “Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet.”