SAN FRANCISCO – A federal jury convicted Joseph Sullivan, the former Chief Security Officer of Uber Technologies, Inc. (“Uber”), of obstruction of proceedings of the Federal Trade Commission (“FTC”) and misprision of felony in connection with his attempted cover-up of a 2016 hack of Uber. The announcement was made by United States Attorney Stephanie M. Hinds and FBI San Francisco Special Agent in Charge Robert K. Tripp following a four week trial before the Hon. William H. Orrick, United States District Judge.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said U.S. Attorney Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI Special Agent In Charge Tripp. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain."
The circumstances regarding Sullivan’s violations of the law involve two separate hacks of Uber’s databases—one in 2014 and another in 2016. The evidence at trial established that Sullivan was hired as Uber’s Chief Security Officer (“CSO”) in April 2015. At that time, Uber had recently disclosed to the FTC that it had been the victim of a data breach in 2014 (“2014 Data Breach”) and that the breach related to the unauthorized access of approximately 50,000 consumers’ personal information, including their names and driver’s license numbers. In the wake of that disclosure, the FTC’s Division of Privacy and Identity Protection embarked on an investigation of Uber's data security program and practices. In May 2015, the month after Sullivan was hired, the FTC served a detailed Civil Investigative Demand on Uber, which demanded both extensive information about any other instances of unauthorized access to user personal information, and information regarding Uber’s broader data security program and practices.
The evidence at trial demonstrated that Sullivan, in his new role as CSO, played a central role in Uber's response to the FTC. Specifically, Sullivan supervised Uber’s responses to the FTC’s questions, participated in a presentation to the FTC in March 2016, and testified under oath, at length, to the FTC on November 4, 2016, regarding Uber’s data security practices. Sullivan’s testimony included specific representations about steps he claimed Uber had taken to keep customer data secure.
Exactly ten days after his FTC testimony, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly, via email, on November 14, 2016. The hackers informed Sullivan and others at Uber that they had stolen a significant amount of Uber user data, and they demanded a large ransom payment from Uber in exchange for their deletion of that data. Employees working for Sullivan quickly verified the accuracy of these claims and the massive theft of user data, which included records on approximately 57 million Uber users and 600,000 driver license numbers.
The evidence demonstrated that, shortly after learning the extent of the 2016 breach and rather than reporting it to the FTC, any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC. For example, Sullivan told a subordinate that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist.” Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack. Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers had refused to provide their true names. Uber was ultimately able to identify the two hackers in January of 2017 and required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else. Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies.
The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them. Instead, he touted the work that he and his team had done on data security. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016, supported fully by Sullivan, without disclosing the 2016 data breach to the FTC.
In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO that had happened, Sullivan lied, falsely telling the CEO that the hackers had only been paid after they were identified and deleting from a draft summary prepared by one of his reports that the hack had involved personally identifying information and a very large quantity of user data. Sullivan lied again to Uber’s outside lawyers conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017.
In addition, the two hackers identified by Uber were ultimately prosecuted in the Northern District of California. Both pleaded guilty on October 30, 2019, to computer fraud conspiracy charges and now await sentencing. The separate guilty pleas entered by the hackers demonstrate that after Sullivan assisted in covering up the the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity—Lynda.com—and attempt to ransom that data as well.
In finding Sullivan guilty, the jury concluded he obstructed justice, in violation of 18 U.S.C. § 1505, and that he committed misprision of felony (i.e., knew that a federal felony had been committed and took affirmative steps to conceal that felony), in violation of 18 U.S.C. § 4. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge. However, any sentence following conviction would be imposed by the court after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.
Sullivan remains free on bond pending sentencing. His sentencing will be set at a later date.
The case is being prosecuted by the Corporate and Securities Fraud Section of the U.S. Attorney’s Office. The prosecution is the result of an investigation by the FBI.