Events & Announcements
Written by: CDO Magazine Bureau
Updated 4:29 AM UTC, Mon July 10, 2023
(US and Canada) A federal jury convicted Joseph Sullivan, the former Chief Security Officer of Uber, for obstruction of proceedings of the Federal Trade Commission (FTC) and trying to cover up a breach of Uber’s data in 2016.
The announcement was made by United States Attorney Stephanie M Hinds and FBI San Francisco Special Agent in Charge Robert K Tripp following a four-week trial.
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” she added.
Sharing the FBI’s viewpoint, Tripp said, “Companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur.”
Uber suffered two separate data breaches – in 2014 and 2016. It is worth noting that Sullivan was hired as the company’s Chief Security Officer in April 2015. It was around the time Uber had disclosed the first breach (2014) to the FTC. The mobility company had faced unauthorized access to approximately 50,000 consumers’ personal information, including names and driver’s license numbers.
As reported by the Department Of Justice, Sullivan, in his new role as CSO, played a central role in Uber’s response to the FTC. Ten days after his FTC testimony, on November 14, 2016, hackers reached out to Sullivan directly via email mentioning that they had stolen Uber’s user data, and demanded ransom payment for deleting that data. As per company estimates, the hackers accessed records of about 57 million Uber users and 600,000 driver license numbers.
Despite realizing the scale of the breach, Sullivan did not report it to the authorities or even Uber’s users. Instead, he tried to cover it up and arranged to pay off the hackers after signing non-disclosure agreements. Uber paid the hackers $100,000 in Bitcoin in December 2016.
The breach was fully discovered by Uber’s new management, which disclosed the breach to the authorities in November 2017. Both the hackers have also been identified and prosecuted, and have pleaded guilty to computer fraud conspiracy charges.