Former Uber exec convicted in hacking cover-up
A former Uber executive has been convicted on charges that he obstructed a Federal Trade Commission (FTC) investigation involving two hacks of the company that happened in 2014 and 2016.
A jury found Joe Sullivan guilty of obstruction of proceedings of the FTC and misprision of felony, which is taking steps to conceal a felony from authorities, on Wednesday after a four-week trial.
Sullivan was hired as Uber’s chief security officer in 2015 while the FTC was investigating the 2014 data breach in which hackers obtained about 50,000 customers’ personal information, including names and driver’s license numbers.
Sullivan supervised Uber’s responses to the FTC’s questions, participated in a presentation to the agency in March 2016 and testified under oath to the FTC that November on the company’s data security practices, according to a Justice Department (DOJ) release. He mentioned steps he had taken to keep customer data secure during his testimony.
The release states that Sullivan learned Uber was hacked again 10 days after he testified. The hackers reached out directly to Sullivan through email and told him that they had stolen significant amounts of user data, demanding a large ransom for deleting the data.
The data that the hackers obtained impacted about 57 million users and included about 600,000 driver’s license numbers.
Prosecutors alleged that Sullivan carried out a plan to keep knowledge of the breach from the FTC and did not alert Uber’s users.
The DOJ release states that Sullivan told a subordinate that they can’t let “this get out” and that information related to the breach needed to be “tightly controlled.”
Sullivan arranged to pay the two hackers in exchange for them agreeing to sign non-disclosure agreements where they promised to not publicly reveal the hack. Uber ultimately paid them $100,000 in bitcoin in December 2016 and forced them to sign updated non-disclosure agreements after learning their real names in January 2017.
Sullivan continued to work with Uber’s attorneys handling the FTC inquiry and never told them of the second breach.
Uber reached a preliminary agreement with the FTC in 2016, which Sullivan supported, without telling the FTC of the 2016 hack.
Uber’s new leaders started investigating the 2016 hack in fall 2017, and Sullivan lied to the CEO that the company only paid the hackers after they were identified and lied to the company’s outside lawyers conducting an independent investigation, according to the DOJ.
Uber’s management eventually learned the truth about the breach and publicly disclosed it and told the FTC in November 2017.
The two hackers were prosecuted and pleaded guilty in October 2019 to computer fraud conspiracy charges.
“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” said U.S. Attorney Stephanie Hinds. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”
The Washington Post reported that Sullivan’s attorney, David Angeli, told the jury that Sullivan led a team that worked “tirelessly” to protect Uber’s customers. He said the real world works differently than policies from company manuals and Sullivan’s focus has been to ensure people’s personal data is secure online.