Former Uber CSO Convicted for Covering Up Data Breach

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

Former Uber Chief Security Officer (CSO) Joseph Sullivan was convicted of obstructing proceedings of the Federal Trade Commission (FTC) by covering up a massive data breach in 2016.

The Uber hack of 2016 remains noteworthy as it included records on a whopping 57 million Uber users and around 600,000 driver license numbers.

Uber hired Sullivan as its CSO in 2015, a year after hackers first hit the company. In response to the data breach, the FTC issued a Civil Investigative Demand against Uber that demanded information about any other unauthorized access to users’ personal information and the company’s security practices.

As CSO, Sullivan testified under oath in regard to Uber’s data security practices and claimed that the company took extra steps to secure users’ data. However, Uber ended up getting hacked again.

“The hackers reached out to Sullivan directly, via email, on Nov. 14, 2016,” read the press release from the US Attorney’s Office for the Northern District of California on Wednesday. “The hackers informed Sullivan and others at Uber that they had stolen a significant amount of Uber user data, and they demanded a large ransom payment from Uber in exchange for their deletion of that data.”

“Employees working for Sullivan quickly verified the accuracy of these claims and the massive theft of user data, which included records on approximately 57 million Uber users and 600,000 driver license numbers,” the press release added.

Instead of informing the FTC about the incident, Sullivan did his best to cover it up. He reached out to the hackers and agreed to pay them $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to announce the hack.

For the next few years, Sullivan lied to lawyers, the FTC, and the new CEO of Uber about the data breach. However, the company eventually discovered the incident in late 2017 and reported the breach to the FTC.

The two hackers who breached Uber were prosecuted in the Northern District of California after pleading guilty and are now awaiting sentencing. The same occurred for Joseph Sullivan, but he’s currently free on bond pending sentencing.

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.

Leave a Comment