Uber’s former security chief has been convicted of two federal felonies in a rare criminal prosecution over ransom hackings that exposed millions of riders’ personal information.
A federal jury in San Francisco found Joseph Sullivan guilty on Wednesday of misprision of a felony and obstruction of the Federal Trade Commission, ending a four-week trial that was closely watched in the corporate world.
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” Special Agent Robert K. Tripp, who’s in charge of the FBI’s San Francisco office, said in a press release. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”
Sullivan’s lawyer David Angeli said his team disagrees with the verdict but appreciates the jury’s decision and effort.
“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the Internet,” Angeli said in a statement released to journalists.
Sullivan’s crimes stem from hacks of Uber’s databases in 2014 and 2016. Thought he didn’t start as the company’s chief security officer until April 2015, he testified about the 2014 breach to the FTC. His testimony happened to occur 10 days before hackers struck again in a worse way, stealing 57 million Uber user records and 600,000 driver license numbers, whereas the 2014 breach exposed about 50,000.
Rather than telling the FTC about it, Sullivan worked to cover up the new breach and orchestrated a secret $100,000 bitcoin payout to the hackers as well as a nondisclosure agreement that “contained the false representation that the hackers did not take or store any data in their hack,” according to the U.S. Attorney’s Office for the Northern District of California.
The hackers collected the $100,000 anonymously, but Uber officials eventually identified them and got them to sign agreements in their true names promising not to discuss the hack.
“Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies,” according to the press release.
Sullivan also didn’t tell FTC investigators about the second hacking, and he lied to Uber’s new CEO Dara Khosrowshahi in 2017, telling him the hackers had only been paid after they were identified. He also deleted details about the scope of the breach from a draft report.
The FBI announced Sullivan’s charges in August 2020.
The hackers were prosecuted in federal court, too, with both pleading guilty in October 2019 to computer fraud conspiracy charges. They admitted targeting another corporate entity —Lynda.com— in a ransom hack attempt after attacking Uber.
U.S. District Judge William Orrick III, a 2013 Barack Obama appointee, allowed Sullivan to remain out of jail on bond as he awaits sentencing, which has not yet been set.
Sullivan is being prosecuted by Andrew F. Dawson and Benjamin Kingsley. Their boss, Northern District U.S. Attorney Stephanie M. Hinds, said in the release her office “will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”
The names of the hackers could not immediately be obtained, but the article will be updated later once they are.
Read prosecutors’ trial memorandum below:
[Image: Photo by JOSH EDELSON/AFP via Getty Images]
Have a tip we should know? [email protected]