Uber’s former security chief found guilty of covering up 2016 data breach

Uber’s former head of security has been found guilty of criminal obstruction for attempting to cover up a data breach that saw tens of millions of customer and driver records stolen.

A federal jury in San Francisco convicted Joseph Sullivan, Uber’s former chief security officer (CSO), of obstructing justice and concealing knowledge that a federal felony had been committed, the Department of Justice confirmed on Wednesday.

The case pertains to a breach of Uber’s systems in 2016 that exposed the data of 50 million customers and seven million drivers, including names, email address, phone numbers and around 600,000 driver license numbers for U.S. drivers.

The data breach occurred just a few months after Sullivan was hired by Uber to help the company beef up its cybersecurity after a smaller breach in 2014 that saw hackers access approximately 50,000 consumers’ personal information.

After learning of the 2016 breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission (FTC), which had been investigating the 2014 breach, prosecutors say.

Sullivan, who now serves as Cloudflare’s CSO, told a subordinate that information about the breach needed to be “tightly controlled” and that the story outside of the security group was to be that “this investigation does not exist.” He also arranged to pay the hackers $100,000 under the guise of a bug bounty program in exchange for them signing non-disclosure agreements promising not to reveal the hack.

Uber fired Sullivan in 2017 and in 2020 federal prosecutors charged him with one count of obstruction and one count of misprision of a felony. His trial is believed to be the first time a company executive has faced criminal prosecution over a hack.

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said U.S. Attorney Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”

Uber did not publicly disclose the incident or inform the FTC until a new chief executive, Dara Khosrowshahi, joined the company in 2017. Since, Uber has paid $148 million to settle a case brought by 50 U.S. states and the District of Columbia for attempting to cover up the breach. It was also hit with fines from U.K. and Dutch data protection authorities totaling nearly $1.2 million; the breach affected 82,000 drivers based in the U.K. and 174,000 Dutch citizens.

A sentencing date has not yet been set, but Sullivan faces a maximum of five years in prison for the obstruction of justice charge, and up to three years for failing to report the crime, according to the DOJ.

News of Sullivan’s conviction comes just weeks after Uber confirmed a recent breach that saw hackers break into the company’s network and access systems that store vast troves of customer data. Uber later revealed the Lapsus$-affiliated hacker stole some internal information and Slack messages, but said that no sensitive information — like credit card data and trip histories — was taken.