On August 20, 2020, 52-year-old former Chief Security Officer (“CSO”) for Uber Technologies Inc. (“Uber”) Joseph Sullivan was charged with two felonies by the USA according to a FBI criminal complaint filed in the United States District Court for the Northern District of California. While acting as Uber’s CSO, Mr. Sullivan oversaw Uber’s response to and participation with the Federal Trade Commission’s (“FTC”) investigation into the 2014 data breach. If convicted, Mr. Sullivan may spend more than a decade in Federal prison.
To recap, in 2014 Uber suffered a data breach involving approximately 100,000 driver records that leaked to an unknown "intruder." The intruder viewed the driver data through Amazon Web Services in plain text with an access key that was publicly posted by an Uber engineer to GitHub, a code sharing website. As an extra nail in the coffin, the engineer "granted full administrative privileges to all data and documents" on the Amazon server. As a result of the intrusion, over 100,000 unencrypted names and driver's license numbers, 215 unencrypted names and bank account and domestic routing numbers, 84 unencrypted names and social security numbers, as well as physical addresses, email addresses, cellphone numbers, device IDs and location information from Uber trips were stolen.
In November 2016, hackers communicating as “firstname.lastname@example.org” stole names and driver's license numbers of approximately 600,000 drivers, as well as the names, email addresses and phone numbers of 57 million passengers and drivers.
During the FTC’s investigation into the 2014 data breach, Mr. Sullivan actively responded to FTC inquiries, including investigative hearings. However, he declined to advise the FTC of the 2016 data breach and is accused of orchestrating a cover-up of the 2016 data breach, which included withholding the information from the Uber CEOs. Despite knowing that Uber was preparing to update the FTC on employee access to personally identifying information, Sullivan never informed the FTC or Uber’s own counsel of the 2016 data breach, which was significantly larger than the 2014 breach.
According to the FBI’s complaint, “When Uber brought in a new CEO in 2017, Mr. Sullivan lied to him about the circumstances surrounding that  data breach.” FBI records purportedly show that Mr. Sullivan instructed his team not to disclose any details of the breach and treated the incident under its “bug bounty” program. Bug bounty programs are designed to incentivize white-hat hackers, or “researchers,” to identify security vulnerabilities by offering a monetary reward in exchange for such efforts. Sullivan purportedly paid the hackers $100,000 in ransom in December 2016, disguised by the “bug bounty” program and required them to sign non-disclosure agreements (“NDAs”).
The FBI criminal complaint further alleges that the NDAs falsely represented that the hackers did not obtain or store any data during their intrusion. The hackers also initially signed the NDAs using pseudonyms. In January 2017, Uber personnel were able to identify two individuals responsible for the breach. Uber approached them, interviewed them, and arranged for them to sign fresh copies of the NDAs with real names. In November 2017, Uber’s CEO disclosed the breach to the FTC and terminated Mr. Sullivan.
On August 2, 2018, a Grand Jury in the Northern District of California returned an indictment charging the 2016 hackers with computer and extortion crimes. In their testimony, the two primary hackers responsible for 2016 breach noted their surprise regarding Uber’s willingness to pay the ransom.
Sullivan’s role in the cover-up of the 2016 breach resulted in the following charges: 1) Count One: Obstruction of Justice, in violation of 18 U.S.C. § 1505; 2) Count Two: Misprision of a felony, in violation of 18 U.S.C. § 4.
The first charge for obstruction of justice is for individuals that “corruptly, or by threats or force, or by any threatening letter or communication influences, obstructs, or impedes or endeavors to influence, obstruct, or impede the due and proper administration of the law[.]” It further includes “acting with an improper purpose, personally or by influencing another, including making a false or misleading statement, or withholding, concealing, altering, or destroying a document or other information.” (See 18 U.S.C. § 1515. This charge carries a maximum sentence of 8 years in prison. The second charge relates to concealing crimes, permitting imprisonment up to 3 years and fines for “whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States[.]”
While civil penalties and lawsuits are commonplace in the world of data breaches, this criminal complaint from the FBI should demonstrate the very real criminal implications for actively concealing data breaches. Mr. Sullivan is facing monetary fines and up to 11 years in prison.