Joe Sullivan attempted to suppress a leak that exposed more than 50 million company users, the US Justice Department said
© Olly Curtis / Future via Getty Images
Uber’s former chief security officer has been found guilty of attempting to conceal a 2016 data breach, which affected tens of millions users, as well as paying off hackers to keep a lid on the matter, the US Department of Justice announced on Wednesday.
Joe Sullivan was convicted by a San Francisco jury of obstructing an investigation by the Federal Trade Commission (FTC) and attempting to cover up a security breach which resulted in the theft of approximately 57 million Uber users’ data and 600,000 driver license numbers. The sentence faced by the ex-Uber executive is unclear, but he may get up to eight years in prison.
According to the Justice Department, Sullivan was hired several months before the breach. In November 2016, following the successful attack on Uber, hackers contacted the security chief and demanded a huge ransom for deleting the stolen data.
However, instead of reporting the attack to the authorities, Sullivan did all he could to “prevent any knowledge of the breach from reaching the FTC,” a DOJ statement read. According to the department, at one point he told his subordinate that they “can’t let this get out.”
Following the attack, the former executive paid the hackers $100,000 in bitcoin while the culprits signed non-disclosure agreements in which they promised not to share the information about the hack to anyone. Later, both hackers were identified, prosecuted and pleaded guilty to the attack.
The firm did not publicly disclose the incident or inform the FTC until new management took the reins in 2017. Although Sullivan tried to lie about the data breach to the new CEO and outsource lawyers, which were investigating the hack, the company’s management finally learned the truth.
In November 2017, it made its findings public, triggering a number of cases against the company. The ride-hailing giant had to pay $148 million to settle a case on concealing the data breach and was fined nearly $1.2 million in total by UK and Dutch data protection authorities.
“The message in today’s guilty verdict is clear: Companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI Special Agent In Charge Robert Tripp.