SAN FRANCISCO – A federal grand jury handed down a superseding indictment today adding wire fraud to the list of charges pending against Joseph Sullivan for his role in the alleged attempted cover-up of the 2016 hack of Uber Technologies Incorporated, announced Acting United States Attorney Stephanie M. Hinds and FBI Special Agent in Charge Craig D. Fair. The 2016 hack implicated approximately 57 million user and driver records—Sullivan already was charged with obstruction of justice and misprision of a felony in connection with the alleged attempted cover-up of the incident.
Sullivan, 52, of Palo Alto, Calif., was serving as Uber’s Chief Security Officer when hackers revealed to him that they had accessed and downloaded an Uber database containing personally identifying information, or PII, including approximately 600,000 driver’s license numbers associated with certain Uber drivers. The superseding indictment describes how Sullivan allegedly orchestrated the disbursement of a six-figure payment to two hackers in exchange for their silence about the hack. The superseding indictment further alleges that Sullivan took deliberate steps to prevent persons whose PII was stolen from discovering that the hack had occurred and took steps to conceal, deflect, and mislead the U.S. Federal Trade Commission (FTC) about the data breach.
“Institutions that store personal information of others must comply with the law,” said Acting U.S. Attorney Hinds. “When hacks like this occur, state law requires notice to victims. Federal law also requires truthful answers to official government inquiries. The indictment alleges that Sullivan failed to do either. We allege Sullivan falsified documents to avoid the obligation to notify victims and hid the severity of a serious data breach from the FTC, all xto enrich his company.”
“If Mr. Sullivan had immediately reported the breach—instead of misleading the government by withholding information—the FBI could have been better able to assist Uber; also, the data breach of at least one additional large tech company may have been prevented,” said FBI Special Agent in Charge Fair. “This case should serve as an example to corporations and company executives that working with the FBI is crucial when dealing with the aftermath of a breach; such communication is a best practice in preventing the loss of data and private information.”
The newly filed allegations of wire fraud center around Sullivan’s attempt to defraud Uber’s drivers by failing to disclose the 2016 breach. Specifically, the superseding indictment describes how California law, under certain circumstances, requires businesses operating in the state to notify residents whose information may have been stolen in such data breaches. The superseding indictment further alleges that, rather than notify the drivers of the breach, Sullivan took deliberate steps to ensure Uber’s drivers and others did not learn the true nature of the incident. Among the steps taken by Sullivan to suppress discovery of the breach was his plan to have two of the hackers execute non-disclosure agreements. The non-disclosure agreements falsely stated the hackers had neither taken nor stored Uber’s data in the 2016 breach. In addition, Sullivan allegedly misrepresented to Uber’s new chief executive officer the nature and scope of the data that was compromised; falsely suggested to the new CEO that the incident was not a data breach; and sent an email falsely claiming that the data breach was not, in fact, a data breach at all, but rather an incident that was no more severe than other security incidents.
The superseding indictment also incorporates the obstruction of justice and misprision of a felony charges described in previously filed documents. Documents filed earlier in the case provide background for the charges. For example, the documents describe how Sullivan played a pivotal role in responding to FTC inquiries about Uber’s cyber security. Specifically, Uber had been hacked in September of 2014 and the FTC was gathering information about that 2014 breach. After the FTC demanded responses to written questions and required Uber to designate an officer to provide testimony under oath on a variety of topics, Sullivan assisted in the preparation of Uber’s responses to the written questions and was designated to provide sworn testimony on a variety of issues. On November 14, 2016, approximately 10 days after providing his testimony to the FTC, Sullivan received an email from a hacker informing him that Uber had been breached again. Sullivan’s team was able to confirm the breach within 24 hours of his receipt of the email.
Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC. For example, as described above, Sullivan arranged to pay off the hackers in exchange for them signing non-disclosure agreements that contained the false representation that the hackers did not take or store any data. In addition, Sullivan sought to pay the hackers off by funneling the payoff through a bug bounty program—a program in which a third-party intermediary arranges payment to so-called “white hat” hackers who point out security issues but have not actually compromised data. In addition, Uber paid the hackers $100,000 in Bitcoin in December 2016, despite the fact that the hackers refused to provide their true names. Uber was ultimately able to identify the two hackers in January 2017 and required them to execute new copies of the non-disclosure agreements in their true names. The two hackers identified by Uber were ultimately prosecuted in the Northern District of California. Both pleaded guilty on October 30, 2019, to computer fraud conspiracy charges and now await sentencing. The separate guilty pleas entered by the hackers demonstrate that after Sullivan assisted in covering up the nature of the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity—Lynda.com—and attempt to ransom that data as well.
The superseding indictment merely alleges that crimes have been committed, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt.
Sullivan is charged with three counts of wire fraud, in violation of 18 U.S.C. § 1343; obstruction of justice, in violation of 18 U.S.C. § 1505; and misprision of a felony, in violation of 18 U.S.C. § 4. If convicted, he faces a maximum statutory penalty of 20 years in prison for each count of wire fraud, five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge. However, any sentence following conviction would be imposed by the court after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.
Sullivan’s arraignment on the new charges has not yet been scheduled.
Uber’s new management ultimately discovered the truth about the breach and disclosed the breach publicly, and to the FTC, in November 2017. Since that time, Uber has responded to additional government inquiries.
The case is being prosecuted by the Corporate and Securities Fraud Section of the U.S. Attorney’s Office. The prosecution is the result of an investigation by the FBI.
Further Information: Case #: 20-337 WHO
Source: U.S. Attorney’s Office, Northern District of California
Updated: I’ve uploaded the superseding indictment, below:71-main