Chief Security Officer Of Uber Charged With Obstructing Justice

CALIFORNIA—A criminal complaint was filed in federal court on Tuesday, August 11 charging Joseph Sullivan, Uber’s Chief Security Officer, with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies Incorporated.

Between April 2015 and November 2017, two hackers contacted Sullivan by email and demanded a six-figure payment in exchange for silence. The hackers revealed that they had accessed and downloaded an Uber database containing personally identifying information associated with approximately 57 million Uber users and drivers. The database included the drivers’ license numbers for approximately 600,000 people who drove for Uber.

The criminal complaint filed against Sullivan alleges that Sullivan took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach. The FTC demanded responses to written questions and required Uber to designate an officer to provide testimony under oath on a variety of topics.  Sullivan assisted in the preparation of Uber’s responses to the written questions and was designated to provide sworn testimony.

Rather than report previous breaches, Sullivan allegedly took deliberate steps to prevent knowledge of previous breaches from reaching the FTC. According to the criminal complaint, Sullivan sought to pay hackers off by funneling the payoff through a bug bounty program, a program in which a third party intermediary arranges payment to hackers who point out security issues but have not actually compromised data. Uber paid hackers $100,000 in BitCoin in December 2016 in a previous breach despite the fact that the hackers refused to provide their true names.

In the previous breach that occurred in 2016, Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data. When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements. After Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained.

Uber’s new management discovered the incident and disclosed the breach publicly to the FTC in November 2017. Since that time, Uber has responded to additional government inquiries. The criminal complaint alleges Sullivan deceived Uber’s new management team about the 2016 breach. Sullivan failed to provide the new management team with critical details about the breach.

In August of 2017, Uber named a new Chief Executive Officer. In September 2017, Sullivan briefed Uber’s new CEO about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited the document with false information. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.

The two hackers identified by Uber were prosecuted in the Northern District of California. Both pleaded guilty on October 30, 2019 to computer fraud conspiracy charges and now await sentencing. Sullivan is charged with obstruction of justice in violation of 18 U.S.C. § 1505 and misprision of a felony in violation of 18 U.S.C. § 4.

The case is being prosecuted by the Corporate Fraud Strike Force of the U.S. Attorney’s Office. The prosecution is the result of an investigation by the FBI.