Ex-Uber chief security officer sentenced to probation
Joseph Sullivan will serve 3-year term, pay fine
SAN FRANCISCO >> Uber's former chief security officer will serve three years of probation and pay a $50,000 fine for covering up a 2016 data breach involving 57 million users of the San Francisco-based ridehailing service, according to the U.S. Attorney's Office.
A jury in October convicted 54-year-old Palo Alto resident Joseph Sullivan of obstruction of the Federal Trade Commission and misprision of a felony — defined as having knowledge that a federal felony was committed and taking steps to conceal that crime, prosecutors said in a statement Thursday.
Sullivan could have received up to five years in prison for the first charge and up to three for the second.
In a sentencing memorandum, prosecutors said Sullivan deserved at least 15 months in prison.
“Instead of doing what he knew was the right thing, he engaged in a rigorous effort to ensure that the victims, the FTC, law enforcement and the public never learned that he and his cybersecurity team had made mistakes that allowed two hackers to steal personal information associated with more than 50 million victims,” prosecutors said. “Part of this court's task is to ensure that every other well-connected corporate executive in a similar position, in the cybersecurity world and elsewhere, knows that the sanction for such a failure will be significant and meaningful.”
Attorneys for Sullivan, meanwhile, pushed for probation, writing in a sentencing memorandum that their client had led an otherwise exemplary life and was “extremely unlikely to engage in future criminal conduct.”
“Throughout his letter to the court, Mr. Sullivan thoughtfully and candidly grapples with the consequences of his actions and demonstrates his awareness that his conduct `hurt others and served as a bad example,' ” his attorneys said. “Most importantly, Mr. Sullivan not only assures the court that the conduct in this case `won't happen again on his watch,' but has taken action to help ensure that others avoid making the same mistakes.”
According to the U.S. Attorney's Office, Uber hired Sullivan in April 2015, not long after the FTC launched an investigation into a 2014 data breach involving 50,000 users. Sullivan played a key role in the company's response to the probe, including its efforts to comply with investigative demands issued by the government agency.
Ten days after testifying under oath in November 2016, Sullivan learned Uber had been hacked again. The hackers used the same exploit as before but made off with far more data, including records on 57 million users and 600,000 driver's license numbers.
Sullivan did not report the hack to the FTC, other authorities or users, prosecutors said, adding that he instead arranged to pay off the hackers in exchange for them signing nondisclosure agreements, or NDAs, in which they promised not to reveal the hack to anyone.
Drafted by Sullivan and ex-Uber lawyer Craig Clark, the NDAs falsely asserted the hackers did not take or store any data, according to the U.S. Attorney's Office.
Sullivan's attorneys said in their sentencing memorandum that Clark advised Sullivan and his team that the hack would be properly treated as a “bug bounty” and not a reportable data breach if the team could track down the hackers, ensure the information had been deleted and not disclosed, and enter into NDAs with the hackers.
“After an intense, sixweek effort, the response team — comprised of industry-leading personnel with vast experience dealing with similar situations — reported to Mr. Sullivan that the two men responsible for the 2016 incident had been located and confronted and that the team believed, based on its forensics work and interviews with the hackers, that the compromised data had been deleted, i.e., that there was no material risk of harm to the drivers whose data was at issue,” his attorneys said.
Prosecutors said Sullivan continued to work with the Uber lawyers handling or overseeing the FTC investigation into the 2014 hack, but withheld information about the 2016 data breach. The company ultimately entered into a preliminary settlement with the FTC in summer 2016 without disclosing the second hack to the government agency.
In fall 2017, Uber, then under new management, opened an investigation into the 2016 hack. When asked by the chief executive officer what had happened, Sullivan lied about the circumstances of the data beach, including by telling the CEO the hackers did not have any data, according to the U.S. Attorney's Office. Sullivan also reportedly lied to lawyers who were brought in to conduct the probe.
The hack eventually was discovered and publicly disclosed by Uber in November 2017.