On October 5, 2022, the U.S. Department of Justice announced that a federal jury convicted Joseph Sullivan, the former Chief Security Officer of Uber Technologies, Inc. (“Uber”), of obstruction of FTC proceedings and misprision of felony, which is essentially knowing that a federal felony had occurred and affirmatively trying to conceal the felony. The charges stem from an attempted cover-up of a data breach Uber suffered in 2016.
Uber hired Mr. Sullivan in 2015 as the company’s CSO. At that time, Uber had also recently revealed to the FTC that it suffered a data breach in 2014 that exposed the personal information of about 50,000 consumers. Following Uber’s disclosure, the FTC’s Division of Privacy and Identity Protection opened an investigation into Uber’s data security program and practices.
In May 2015, the FTC served Uber with a Civil Investigative Demand (“CID”) seeking information about the instances of unauthorized access and Uber’s data security program and practices. According to the government, Mr. Sullivan learned that Uber was hacked again in 2016 when hackers contacted him via email. The hackers demanded a large ransom to delete data it allegedly exfiltrated, which included records of 57 million Uber users and 600,000 driver license numbers, according to the DOJ. Mr. Sullivan verified the hackers’ claims. And according to the government, Mr. Sullivan did not report the hack to authorities or Uber’s users. Instead, Mr. Sullivan prevented the breach from being reported to the government. According to the press release, Mr. Sullivan “told a subordinate that they ‘can’t let this get out,’ instructed them that the information needed to be ‘tightly controlled,’ and that the story outside of the security group was to be that “this investigation does not exist.’”
Mr. Sullivan then arranged to pay the hackers’ ransom in exchange for the execution of a non-disclosure agreement. Uber then paid the hackers $100,000 in bitcoin. About a month later, Uber identified the two hackers’ real names and required them to sign new non-disclosure agreements. According to the government, Mr. Sullivan also knew that the hackers were hacking and extorting other companies and did not divulge the hack to authorities or Uber’s lawyers and senior leadership. Despite his efforts, Uber’s new management learned of the breach and reported it to the FTC and the general public in 2017.
Mr. Sullivan faces up to five years in prison for obstruction of FTC proceedings and up to three years for the misprision conviction. The federal judge will impose a sentence after considering federal sentencing guidelines and other relevant factors. Separately, the two hackers were arrested, prosecuted, and both pled guilty to computer fraud conspiracy charges. The hackers are awaiting sentencing.
The U.S. Department of Justice’s press release can be read here.
The attorneys at Chilivis Grubman represent clients of all sizes in connection with data breaches and cybersecurity matters, including regulatory obligations and litigation arising therefrom. If you need assistance with such a matter, please contact us today.