Former Uber security chief found guilty of covering up data breach

Former Uber security chief found guilty of covering up data breach
A federal jury found Uber’s former head of security Joseph Sullivan guilty of covering up a 2016 data breach and extortion scheme that exposed 57 million app users’ personal information.

MARIA DINZEO / October 5, 2022

A person holding an iPhone. (AP Photo/Carolyn Kaster, File)
SAN FRANCISCO (CN) — In a verdict with far-reaching implications for security chiefs nationwide, a federal jury convicted Uber’s former head of security Joe Sullivan on Wednesday of concealing a 2016 data breach from authorities and obstructing an investigation by the Federal Trade Commission into Uber’s security practices.

Sullivan had only been on the job a few months when two hackers broke into Uber’s Amazon data storage server in October 2016 and swiped the personal information of 57 million app users, including names, phone numbers, email addresses and 600,000 driver’s license numbers.

Prosecutors say the breach looked terrible for Sullivan, who was brought on to help the company beef up its cybersecurity after a similar breach in 2014 in which a hacker accessed unencrypted customer data housed in Uber’s Amazon data store using a key Uber engineers had left sitting exposed in GitHub.

After one of the hackers reached out to Sullivan's personal email address and demanded a six-figure payment, Sullivan and his security team decided to treat the incident as a routine bug bounty and funneled a $100,000 bitcoin ransom through HackerOne.

Vasile Mereacre, of Toronto, and Brandon Glover, of Florida, pleaded guilty to the hack in October 2019.

Just 10 days before the hackers contacted him, Sullivan gave a lengthy deposition to the Federal Trade Commission on Uber’s progress in tightening security after the 2014 breach as part of the regulator's ongoing investigation. Prosecutors note that after learning about the breach, Sullivan remarked that it "may play very badly based on previous assertions" to the FTC and that he'd "just been deposed on this topic.”

Uber fired Sullivan in 2017 and in 2020 federal prosecutors charged him with one count of obstruction and one count of misprision of a felony. His trial was said to be the first criminal prosecution of a tech company executive over a data breach.

Sullivan’s defense attorneys say he made no effort to conceal the breach, and that Uber’s legal department was responsible for advising its security team on whether the incident was reportable.

“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case,” lead defense attorney David Angeli said in an email following the verdict. "Mr. Sullivan’s sole focus—in this incident and throughout his distinguished career—has been ensuring the safety of people’s personal data on the Internet. We will evaluate next steps in the coming days."

Jurors leaving the courthouse declined to speak with reporters.

Sullivan faces a maximum of eight years in prison. U.S. District Judge William Orrick said he was in no rush to schedule a sentencing date.

“Technology companies in the Northern District of California collect and store vast amounts of data from users. We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers," U.S. Attorney Stephanie Hinds said in a statement late Wednesday. "Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”