By: Ravie Lakshmanan
A U.S. federal court jury has found former Uber Chief Security Officer Joseph Sullivan guilty of not disclosing a 2016 breach of customer and driver records to regulators and attempting to cover up the incident.
Sullivan has been convicted on two counts: One for obstructing justice by not reporting the incident and another for misprision. He faces a maximum of five years in prison for the obstruction charge, and a maximum of three years for the latter.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” U.S. Attorney Stephanie M. Hinds said in a press statement.
“We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught.”
The 2016 hack of Uber occurred as a result of two hackers gaining unauthorized access to the company’s database backups, prompting the ride-hailing firm to secretly pay a $100,000 ransom in December 2016 in exchange for deleting the stolen information.
Uber also had the extortionists sign a non-disclosure agreement in an attempt to pass-off the break-in as a bug bounty reward. The backups contained data belonging to 50 million Uber riders and 7 million drivers.
Complicating things further, the incident occurred when the U.S. Justice Department and the Federal Trade Commission (FTC) were already probing the company for another data breach that took place on May 13, 2014.
In February 2015, Uber revealed that one of its databases had been improperly accessed following a potential compromise of one of the encryption keys, resulting in the exposure of names and license numbers of about 50,000 drivers. The incident was discovered on September 14, 2016.
“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” the FTC noted in 2018.
The DoJ said that Sullivan played a crucial role in shaping Uber’s response to FTC regarding the 2014 breach, with the defendant testifying under oath on November 4, 2016, about the number of steps that he claimed the company had taken to secure user data.
But upon learning that Uber was compromised again, that too merely ten days after his FTC testimony, the agency said “Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC” instead of opting to divulge the matter to the authorities and its users.
Federal prosecutors also accused Sullivan of lying to Uber’s chief executive Dara Khosrowshahi as well as the company’s outside lawyers investigating the 2016 incident, stating the “truth about the breach” finally came to light in November 2017.
What’s more, Travis Kalanick, Uber’s co-founder and then CEO, who resigned from the company in June 2017, is said to have approved Sullivan’s strategy for handling the unauthorized intrusion. Kalanick has not been charged.
In a statement shared with The New York Times, Sullivan’s legal team said his only focus during the course of the incident and his professional career has been to ensure the “safety of people’s personal data on the internet.”
The development, which marks the first time a senior company executive has faced criminal charges over a data breach, comes as the two hackers involved in the 2016 incident await sentencing for their fraud conspiracy charges after pleading to the crime in October 2019.
“The separate guilty pleas entered by the hackers demonstrate that after Sullivan assisted in covering up the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity — Lynda.com — and attempt to ransom that data as well,” the DoJ pointed out.
The fact that the 2014 and 2016 security lapses mirrored each other notwithstanding, Uber came under spotlight last month for the wrong reasons when its systems were breached a third time in a hack that it has since linked to the LAPSUS$ cybercrime group.
This past July, Uber also settled with the DoJ to pay $148 million and agreed to “implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments.”
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” FBI San Francisco Special Agent in Charge Robert K. Tripp said.