Former
Uber
CSO,
Joe
Sullivan,
has
been
sentenced
to
three
years’
probation
for
his
involvement
in
covering
up
a
data
breach
in
2016
that
affected
57
million
Uber
users.
Sullivan
was
convicted
on
October
5
of
obstruction
of
proceedings
of
the
Federal
Trade
Commission
(FTC)
and
misprision
of
felony
in
connection
with
his
attempts
to
cover
up
the
hack.
US
district
judge
William
Orrick
sentenced
Sullivan
on
May
4
to
three
years’
probation
and
200
hours
of
community
service,
noting
that
Sullivan
has
previously
worked
to
protect
people
from
the
crimes
he
was
charged
with
covering
up.
Orrick
also
said
that
Sullivan’s
actions
helped
stop
the
private
data
that
was
stolen
from
becoming
exposed.
Orrick
also
said
that
he
believed
that
former
Uber
CEO
Travis
Kalanick
was
equally
responsible
for
the
concealment
of
the
data
breach.
Kalanick
has
not
been
charged
for
his
alleged
involvement.
Sullivan
said
of
his
actions:
“I
was
a
bad
role
model.
We’re
there
to
be
the
champion
of
the
customer,
and
I
failed
in
this
case.”
The
2016
Uber
hack
and
attempted
cover-up
In
November
2014,
Uber
suffered
a
data
breach
that
exposed
the
personal
information
of
50,000
customers.
As
this
hack
was
disclosed
to
the
FTC,
Uber’s
data
security
practices
were
investigated.
In
May
2015,
Uber
was
served
a
Civil
Investigative
Demand
by
the
FTC.
The
demand
required
Uber
to
give
extensive
information
on
its
data
security
practices
as
well
as
detailed
information
on
any
other
occasions
where
unauthorized
parties
had
gained
access
to
confidential
user
information.
The
Department
of
Justice
(DOJ)
said
that
evidence
demonstrated
that
Sullivan
played
a
significant
part
in
Uber’s
response
to
the
FTC,
including
“supervis[ing]
Uber’s
responses
to
the
FTC’s
questions,
participat[ing]
in
a
presentation
to
the
FTC
in
March
2016,
and
testify[ing]
under
oath…to
the
FTC
on
November
4,
2016,
regarding
Uber’s
data
security
practices…includ[ing]
specific
representations
about
steps
he
claimed
Uber
had
taken
to
keep
customer
data
secure”.
Ten
days
after
his
testimony,
Sullivan
learned
that
the
data
breach
had
taken
place,
as
he
was
contacted
directly
by
the
hackers
on
November
14,
2016.
Evidence
at
the
trial
demonstrated
that
Sullivan
actively
tried
to
keep
knowledge
of
the
breach
from
reaching
the
FTC,
including
telling
a
subordinate
that
information
about
the
hack
was
to
be
“tightly
controlled”
and
that
they
“can[not]
let
this
get
out”.
He
also
told
employees
outside
of
the
security
team
that
the
official
line
to
the
rest
of
the
business
was
“this
investigation
does
not
exist”.
Sullivan
attempted
to
pay
the
two
hackers
$100,000
to
sign
a
non-disclosure
agreement
which,
according
to
the
DOJ,
“contained
the
false
representation
that
the
hackers
did
not
take
or
store
any
data”.
Uber
paid
the
hackers
$100,000
in
Bitcoin
in
December
2016,
despite
not
knowing
their
true
identities.
In
January
2017,
Uber
discovered
their
identities
and
the
hackers
signed
a
new
version
of
the
original
non-disclosure
agreement
which
contained
their
true
names.
Both
hackers
were
prosecuted
and
pleaded
guilty
in
October
2019
to
charges
of
computer
fraud
conspiracy.
They
are
currently
awaiting
sentencing.
Sullivan’s
concealment
of
the
breach
Despite
this
information
being
crucial
to
the
FTC
investigation,
evidence
showed
that
Sullivan
did
not
disclose
any
information
about
the
cyber
security
incident
to
Uber’s
lawyers
who
were
handling
the
investigation,
nor
to
the
General
Counsel
of
Uber.
The
initial
investigation
was
settled
in
summer
of
2016,
without
Sullivan
mentioning
the
breach.
In
2017,
Uber
began
investigating
the
2016
breach.
During
the
investigation,
Sullivan
lied
to
the
new
CEO
of
Uber,
Dara
Khosrowshahi,
telling
him
that
the
hackers
were
only
paid
after
their
identities
were
revealed.
He
also
deleted
information
from
a
draft
of
a
report
on
the
breach
that
said
it
involved
the
exposure
of
a
large
amount
of
personal
information
from
a
large
number
of
Uber
customers.
The
breach
was
eventually
discovered
and
disclosed
to
both
the
FTC
and
the
general
public
in
November
2017.
About Author
