Tech. Science. Culture.
We may earn a commission from links on this page

Uber's Former Security Chief Convicted of Covering Up 2016 Data Breach

The firm's former chief information security officer was found guilty of hiding a massive data breach from federal investigators.

We may earn a commission from links on this page.
Image for article titled Uber's Former Security Chief Convicted of Covering Up 2016 Data Breach
Photo: ROBYN BECK/AFP (Getty Images)

A federal jury has convicted Uber’s former security chief of charges related to a 2016 cover-up involving the ride-share giant, according to journalists present in the courtroom.

Joe Sullivan, who was found guilty of one count of obstruction and one count of misprision of a felony on Wednesday, helped to conceal a massive 2016 data breach from authorities, while also obstructing a Federal Trade Commission investigation.

Sullivan’s troubles began in the fall of 2016, when two cybercriminals managed to compromise an Amazon data storage server operated by the company and stole personally identifying information on some 600,000 Uber drivers, as well as approximately 57 million users of the ride-share app. The hackers then contacted Sullivan via email in an attempt to extort the company for $100,000.

Advertisement

To complicate matters, Uber was being investigated by the FTC for a previous hacking incident at the time of the breach. Sullivan secretly paid off the hackers via the company’s bug bounty program and then later misled federal investigators about what had occurred.

Under Sullivan’s watch, the public was never notified about the incident, despite the fact that the criminals had stolen users’ names, phone numbers, and email addresses. Uber drivers’ license numbers were also stolen.

Advertisement

Federal prosecutors alleged that Sullivan subsequently attempted to “conceal, deflect, and mislead the Federal Trade Commission about the breach.” Sullivan’s charges stem from the cover-up, not paying the hackers. The latter has become increasingly common in the cybersecurity industry in recent years.

A former federal prosecutor turned corporate cybersecurity guru, Sullivan took over security at Uber after working a similar stint at Facebook and other high-level positions in Silicon Valley. Sullivan helmed operations at the global ride-share firm until November of 2017, when Uber’s new CEO, Dara Khosrowshahi, took over. After Khosrowshahi discovered what had occurred, Sullivan was subsequently fired, along with other members of the security team.

Advertisement

The hackers behind the episode were ultimately arrested and charged in connection with the incidents. They pled guilty to related crimes in 2019.

The case has decidedly split those in the cybersecurity community. The New York Times reports that this could be the first time that a security executive was held liable for a hacking incident in this way. The episode could ultimately set a new precedent for future cases in which CISOs must face legal consequences over data breaches. Some security professionals have suggested that Sullivan was “scapegoated” for the incident.