Former Uber Chief Security Officer (CSO) Joseph Sullivan has been convicted of obstructing proceedings of the Federal Trade Commission (FTC) by covering up a massive data breach in 2016.
The Uber hack of 2016 remains noteworthy even today as it included records on approximately 57 million Uber users and 600,000 driver license numbers. Somehow, even with the size of the data breach, Sullivan’s immediate actions regarding this cybersecurity incident are much more worrisome.
Uber hired Sullivan as its CSO in 2015, a year after hackers hit the company. It had gotten so bad that the Federal Trade Commission issued a Civil Investigative Demand against Uber that demanded information about any other unauthorized access to user personal information and the company’s security practices.
As CSO, Sullivan testified under oath regarding Uber’s data security practices and claimed the company took extra steps to secure users’ data. But then Uber got hacked again.
“The hackers reached out to Sullivan directly, via email, on November 14, 2016,” reads the press release from the US Attorney’s Office for the Northern District of California. “The hackers informed Sullivan and others at Uber that they had stolen a significant amount of Uber user data, and they demanded a large ransom payment from Uber in exchange for their deletion of that data.”
“Employees working for Sullivan quickly verified the accuracy of these claims and the massive theft of user data, which included records on approximately 57 million Uber users and 600,000 driver license numbers.”
Instead of informing the FTC, Sullivan went to great lengths to cover up the incident. He reached out to the hackers and agreed to pay them $100,000 in bitcoin in exchange for signing non-disclosure agreements, promising not to reveal the hack.
For the next couple of years, Sullivan lied to lawyers, the FTC, and even the new CEO of Uber. The company eventually discovered the incident in late 2017 and reported the breach to the FTC.
Also, the two hackers who breached the company have been prosecuted in the Northern District of California after pleading guilty and are awaiting sentencing. The same goes for Joseph Sullivan, as he’s free on bond pending sentencing.