Uber driver holding his smartphone in car.
Image: AA+W/Adobe Stock

Former Uber Chief Security Officer Joe Sullivan has been found guilty of criminal obstruction for attempting to conceal a 2016 data breach of tens of millions of customer and driver records.

A federal jury in San Francisco convicted Sullivan Wednesday on charges of obstructing justice and concealing knowledge that a federal felony had been committed, according to the U.S. Department of Justice.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said U.S. Attorney Stephanie M. Hinds in a statement. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers.”

Sullivan schemed to hide the breach

The DOJ said evidence presented during his trial showed that “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught.”

In 2016, Uber’s systems were compromised in a breach that exposed the data of more than 57 million customers and drivers, including names, email address, phone numbers and around 600,000 driver’s license numbers for U.S. drivers.

The data breach occurred only a few months after Uber hired Sullivan to help the company enhance its cybersecurity on the heels of a smaller breach in 2014, where hackers gained access to approximately 50,000 consumers’ personal information.

During the trial, prosecutors presented evidence that once he learned about the 2016 breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating the 2014 breach.

Sullivan, who is now CSO of Cloudflare and a former federal prosecutor, testified about specific steps he claimed Uber had taken to keep customer data secure. Ten days after his FTC testimony, Sullivan learned that Uber had been hacked again, and the perpetrators demanded a large ransom payment in exchange for deleting the data, according to the DoJ statement.

“The evidence demonstrated that, shortly after learning the extent of the 2016 breach and rather than reporting it to the FTC, any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC,’’ the DoJ said.

Sullivan told a subordinate that they “can’t let this get out,” that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist,” according to the DoJ.

“Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack,’’ the DOJ said.

In December 2016, Uber paid the hackers $100,000 in bitcoin even though the hackers had refused to provide their true names. The company was ultimately able to identify the two hackers in January 2017 and required them to execute new copies of the non-disclosure agreements in their true names.

“Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies,’’ the DOJ statement said.

The case is believed to be the first time a company executive faced criminal prosecution over a hack and could impact how security professionals handle data breaches.

Uber fired Sullivan in 2017 and federal prosecutors charged him with one count of obstruction and one count of misprision of a felony in 2020.

Uber settles cases

The rideshare company did not publicly disclose the incident or notify the FTC until 2017, when a new chief executive, Dara Khosrowshahi, joined the company. Uber has since paid $148 million to settle a case brought by 50 U.S. states and the District of Columbia for attempting to cover up the breach. Fines totaling nearly $1.2 million were also levied against Uber by U.K. and Dutch data protection authorities since the breach affected 82,000 drivers based in the U.K. and 174,000 Dutch citizens.

Sullivan faces a maximum of five years in prison for the obstruction of justice charge, and up to three years for failing to report the crime. He remains free on bond pending sentencing, which will be set at a later date.

News of Sullivan’s conviction comes just weeks after Uber confirmed that hackers broke into the company’s network and access systems and stole some internal information and Slack messages but said that no sensitive information — like credit card data and trip histories — was taken.

A few days later, Uber revealed the Lapsus$ extortion group, which uses social engineering to target technology firms and other organizations, was responsible.