Uber’s former security chief covered up enormous hack he said ‘did not exist’

Adam Smith
·3 min read
Uber Cybersecurity (Copyright 2022 The Associated Press. All rights reserved)
Uber Cybersecurity (Copyright 2022 The Associated Press. All rights reserved)

Uber’s former chief security officer has been found guilty of attempting to cover up a data breach in which hackers accessed tens of millions of customer records.

Joseph Sullivan was convicted of obstructing justice and concealing knowledge that a federal felony had been committed.

Mr Sullivan remains free on bond pending sentencing and could face a total of eight years in prison on the two charges when he is sentenced, prosecutors said.

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” US Attorney Stephanie M. Hinds said in a statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

It was believed to be the first criminal prosecution of a company executive over a data breach.

The lone hacker apparently gained access posing as a colleague, tricking an Uber employee into surrendering their credentials. Screenshots the hacker shared with security researchers indicate they obtained full access to the cloud-based systems where Uber stores sensitive customer and financial data.

It is not known how much data the hacker stole or how long they were inside Uber’s network. There was no indication they destroyed data.

A lawyer for Mr Sullivan, David Angeli, took issue with the verdict. “Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Angeli told the New York Times.

Uber did not respond to a request for comment.

Mr Sullivan was hired as Uber's chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver's license numbers, prosecutors said.

After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.

According to the US attorney's office, Mr Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,'" and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC's inquiry, prosecutors said.

“Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber," the US attorney's office said.

Uber's new management began investigating the breach in the fall of 2017. Despite Sullivan lying to the new chief executive officer and others, the truth was uncovered and the breach was made public, prosecutors said.

Sullivan was fired along with Craig Clark, an Uber lawyer he had told about the breach. Clark was given immunity by prosecutors and testified against Mr Sullivan. No other Uber executives were charged in the case.

The hackers pleaded guilty in 2019 to computer fraud conspiracy charges and are awaiting sentencing.

Additional reporting by Associated Press