Skip to main content

Ex-Uber Security Chief Convicted of Federal Felonies for Concealing Ransom Hacking That Exposed Data of 57 Million Riders

 

In this pan zoom image, an Uber logo is seen outside the company’s headquarters in San Francisco, California on May 8, 2019.

Uber’s former security chief has been convicted of two federal felonies in a rare criminal prosecution over ransom hackings that exposed millions of riders’ personal information.

A federal jury in San Francisco found Joseph Sullivan guilty on Wednesday of misprision of a felony and obstruction of the Federal Trade Commission, ending a four-week trial that was closely watched in the corporate world.

“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” Special Agent Robert K. Tripp, who’s in charge of the FBI’s San Francisco office, said in a press release. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”

Sullivan’s lawyer David Angeli said his team disagrees with the verdict but appreciates the jury’s decision and effort.

“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the Internet,” Angeli said in a statement released to journalists.

Sullivan’s crimes stem from hacks of Uber’s databases in 2014 and 2016. Thought he didn’t start as the company’s chief security officer until April 2015, he testified about the 2014 breach to the FTC. His testimony happened to occur 10 days before hackers struck again in a worse way, stealing 57 million Uber user records and 600,000 driver license numbers, whereas the 2014 breach exposed about 50,000.

Rather than telling the FTC about it, Sullivan worked to cover up the new breach and orchestrated a secret $100,000 bitcoin payout to the hackers as well as a nondisclosure agreement that “contained the false representation that the hackers did not take or store any data in their hack,” according to the U.S. Attorney’s Office for the Northern District of California.

The hackers collected the $100,000 anonymously, but Uber officials eventually identified them and got them to sign agreements in their true names promising not to discuss the hack.

“Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies,” according to the press release.

Sullivan also didn’t tell FTC investigators about the second hacking, and he lied to Uber’s new CEO Dara Khosrowshahi in 2017, telling him the hackers had only been paid after they were identified. He also deleted details about the scope of the breach from a draft report.

The FBI announced Sullivan’s charges in August 2020.

The hackers were prosecuted in federal court, too, with both pleading guilty in October 2019 to computer fraud conspiracy charges. They admitted targeting another corporate entity —Lynda.com— in a ransom hack attempt after attacking Uber.

U.S. District Judge William Orrick III, a 2013 Barack Obama appointee, allowed Sullivan to remain out of jail on bond as he awaits sentencing, which has not yet been set.

Sullivan is being prosecuted by Andrew F. Dawson and Benjamin Kingsley. Their boss, Northern District U.S. Attorney Stephanie M. Hinds, said in the release her office “will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

The names of the hackers could not immediately be obtained, but the article will be updated later once they are.

Read prosecutors’ trial memorandum below:

[Image: Photo by JOSH EDELSON/AFP via Getty Images]

Have a tip we should know? [email protected]

Filed Under:

Follow Law&Crime:

A graduate of the University of Oregon, Meghann worked at The Spokesman-Review in Spokane, Washington, and the Idaho Statesman in Boise, Idaho, before moving to California in 2013 to work at the Orange County Register. She spent four years as a litigation reporter for the Los Angeles Daily Journal and one year as a California-based editor and reporter for Law.com and associated publications such as The National Law Journal and New York Law Journal before joining Law & Crime News. Meghann has written for The Washington Post, Los Angeles Times, The New York Times, Los Angeles Magazine, Bloomberg Law, ABA Journal, The Forward, Los Angeles Business Journal and the Laguna Beach Independent. Her Twitter coverage of federal court hearings in a lawsuit over homelessness in Los Angeles placed 1st in the Los Angeles Press Club's Southern California Journalism Awards for Best Use of Social Media by an Independent Journalist in 2021. An article she freelanced for Los Angeles Times Community News about a debate among federal judges regarding the safety of jury trials during COVID also placed 1st in the Orange County Press Club Awards for Best Pandemic News Story in 2021.