Joseph Sullivan, Uber’s former security chief and a former federal prosecutor tapped by President Barack Obama to join the National Cybersecurity Commission, was convicted by a federal jury on charges of obstruction of justice and concealing a felony (misprision) in San Francisco on Wednesday, October 5, 2022.1 Mr. Sullivan was found to have attempted to conceal a 2016 data breach from investigators at the Federal Trade Commission, who were investigating Uber for a "strikingly similar" breach that occurred in 2014.
Mr. Sullivan was deposed by the FTC regarding the 2014
investigation 10 days after receiving notification of the 2016 hack and allegedly "took many steps to keep the FTC and others from finding out about it" (Benjamin Kingsley, Assistant U.S. Attorney’s closing argument). Sullivan did not report the incident to Uber’s general counsel Sallee Yoo or to Uber’s lawyers assigned to the FTC investigation.
A lawyer for Uber, Craig Clark, testified that Mr. Sullivan told Uber’s security team that they needed to keep the breach secret. In 2017, Uber began investigating the event, and Mr. Sullivan lied on multiple occasions to the CEO and outside counsel for Uber.
It is believed that 57 million Uber users’ records were hacked, including the driver's license numbers of 600,000 drivers working for Uber. Sullivan paid the two hackers2 $100,000 and made them sign non-disclosure agreements under the guise of Uber’s "bug bounty" program, which encourages reporting of cybersecurity flaws to the company in exchange for a reward (the maximum payout of which is $10,000). While this concealment may have helped Uber avoid fines or penalties in 2014 or 2016, the cover-up ultimately cost it $148 million in settlements with various U.S. states, and Mr. Sullivan faces up to eight years in prison.
This is the first time a company executive has
been found guilty for covering up a data breach, and facing up to eight years in prison is unquestionably severe. However, Mr. Sullivan took affirmative steps to evade the FTC, gave in to extortion, and allowed data on 57 million users – including sensitive personally identifying information on 600,000 drivers – to be exposed without informing the consumers, taking steps to mitigate the damage, or even telling the attorneys at Uber.
What can your enterprise do to reduce the risks of ever more frequent cybersecurity incidents?
Before such an
incident occurs, consider putting clear, written procedures in place and implementing checks and balances to ensure that one individual is not making haphazard, unethical decisions on behalf of the company. If you are exposed to a potential cybersecurity incident, consider involving your attorneys early and often to provide guidance and counsel.
If you need to implement cybersecurity policies and procedures, are exposed to a potential cybersecurity incident, or have questions about potential liability, please reach out to any of the Calfee attorneys below.
1USA v. Sullivan, Case No.: 3:20-cr-00337, U.S. District Court for the Northern District of California. See also Northern District of California Department of Justice News Release, “Former Chief Security Officer Of Uber Convicted Of Federal Charges For Covering Up Data Breach Involving Millions Of Uber User Records” available at https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach (October 5, 2022).
2Both hackers were identified by Uber and prosecuted in the Northern District of California, pleading guilty on October 30, 2019 to computer fraud conspiracy charges in the 2016 Uber and Lynda.com hacks. They currently await sentencing and face a maximum five years in federal prison and fines up to $250,000. Somewhat surprisingly, the potential prison sentence for committing the actual crimes is less than what Mr. Sullivan is facing for concealing the same.