Criminal Jury Finds Former Uber Security Chief Guilty for Concealing Data Breach | Practical Law

Criminal Jury Finds Former Uber Security Chief Guilty for Concealing Data Breach | Practical Law

A jury has found Uber Technologies Inc.'s former chief security officer guilty of several federal crimes after attempting to cover up a 2016 cybersecurity incident, despite being under an active FTC investigation regarding its data security practices at the time. The case may be the first time a company executive has faced criminal prosecution for mishandling a data breach.

Criminal Jury Finds Former Uber Security Chief Guilty for Concealing Data Breach

Practical Law Legal Update w-037-1846 (Approx. 4 pages)

Criminal Jury Finds Former Uber Security Chief Guilty for Concealing Data Breach

by Practical Law Data Privacy & Cybersecurity
Published on 06 Oct 2022USA (National/Federal)
A jury has found Uber Technologies Inc.'s former chief security officer guilty of several federal crimes after attempting to cover up a 2016 cybersecurity incident, despite being under an active FTC investigation regarding its data security practices at the time. The case may be the first time a company executive has faced criminal prosecution for mishandling a data breach.
On October 5, 2022, a federal jury found former Uber Technologies Inc. chief security officer Joseph Sullivan guilty of obstruction of justice and concealment of a felony in connection with covering up a data breach that exposed driver and rider personal data (). His trial is thought to be the first time a company executive has faced criminal prosecution related to handling a data breach.
The government alleged that when Sullivan learned in 2016 that two hackers had stolen the personal data of about 57 million Uber riders and drivers and demanded a ransom payment, Sullivan took steps to conceal the breach, including:
  • Paying the hackers $100,000 to delete the data and sign a non-disclosure agreement that falsely portrayed the hackers as "white hat" researchers participating in a sanctioned bug bounty program for reporting security vulnerabilities.
  • Failing to disclose the incident to the FTC or other governmental authorities, including as required under state data breach notification laws.
  • Failing to report the incident to Uber's general counsel.
At the time of the incident, the FTC was actively investigating Uber's data security practices in the wake of a 2014 data breach. As part of that investigation, Sullivan supervised Uber's responses to the FTC's questions regarding Uber's data security practices, including questions about any other security incidents affecting user personal information. According to the government and court testimony, Sullivan continued to participate in the FTC investigation but did not disclose the 2016 incident to the FTC or to Uber's general counsel.
When a new chief executive joined the company and learned of the breach in 2017, Uber finally disclosed the breach to the public and the FTC. Uber also fired Sullivan in 2017, and federal prosecutors charged him in a 2020 indictment with obstruction of FTC proceedings in violation of 18 U.S.C. § 1505 and misprision, or concealment, of a felony in violation of 18 U.S.C. § 4.
According to a Department of Justice press release announcing the guilty verdict, Sullivan faces a maximum of five years in prison for the obstruction charge and a maximum of three years in prison for the misprision charge. His sentencing will take place at a later date.