SAN FRANCISCO – Joseph Sullivan was sentenced to serve a three-year term of probation and ordered to pay a fine of $50,000, announced First Assistant United States Attorney Stephanie M. Hinds and FBI San Francisco Special Agent in Charge Robert K. Tripp. The sentence was handed down by the Hon. William H. Orrick, United States District Judge, after a jury found Sullivan guilty of two felonies in October 2022.
Sullivan, 54, from Palo Alto in Santa Clara County, previously served as the Chief Security Officer for Uber Technologies, Inc. (“Uber”). The evidence at trial established that while Sullivan was serving in that role, Uber was under investigation by the Federal Trade Commission (“FTC”) as a result of a data breach Uber had suffered in 2014. The FTC’s Division of Privacy and Identity Protection, which is charged with overseeing issues related to consumer privacy and information security, among other things, ultimately investigated both the nature and circumstances of that 2014 data breach and Uber’s broader cybersecurity program. Sullivan was hired soon after the FTC investigation launched, and he participated in Uber’s response to that investigation, including its efforts to comply with investigative demands issued by the FTC. Among other things, Sullivan participated in a presentation to the FTC in March 2016 regarding Uber’s cybersecurity program, and he testified under oath in November 2016.
As established at trial, ten days after his sworn FTC testimony, Sullivan learned that Uber had been hacked again. Furthermore, the hackers had exploited the same vulnerability that had led to the 2014 breach. Unlike the 2014 breach, however, the data stolen in 2016 was massive in scale and included records associated with approximately 57 million Uber users and drivers. Despite having testified regarding that same security vulnerability and related issues ten days prior, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC. For example, Sullivan told a subordinate that they “can’t let this get out” and stated that the breach would “play very badly based on previous assertions” to the FTC. He also arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone. Those contracts, drafted by Sullivan and a lawyer assigned to his team, falsely represented that the hackers did not take or store any data in their hack. Thereafter, Sullivan continued to work with the Uber lawyers handling or overseeing the FTC investigation, including the General Counsel of Uber, but he withheld information about the breach from all of them. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016 without disclosing the 2016 data breach to the FTC. As part of the negotiations, Sullivan learned that the FTC was relying on false information previously provided by Uber, but he failed to alert any of Uber’s lawyers or the FTC.
In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO what had happened, Sullivan lied about the circumstances of the breach, including by telling the CEO that the hackers did not steal any data. Sullivan lied again to Uber’s outside lawyers who were conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017.
Assistant U.S. Attorneys Andrew F. Dawson and Benjamin Kingsley are prosecuting the case, with the assistance of Patricia Mahoney and Nina Burney. The prosecution is the result of an investigation by the FBI.
Further Information:
United States v. Joseph Sullivan, Case #: 20-337 WHO
Source: Department of Justice