IE 11 is not supported. For an optimal experience visit our site on another browser.

Former Uber security chief found guilty of concealing data breach

Joe Sullivan was accused of failing to report to authorities a 2016 cybersecurity incident that affected the data of 57 million passengers and drivers.
Washington, D.C., scenics
An Uber driver in Washington, D.C.Robert Alexander / Getty Images file
/ Source: Reuters

A San Francisco jury has found Uber Technologies Inc’s former chief security officer Joe Sullivan guilty of criminal obstruction for failing to report a 2016 cybersecurity incident to the authorities, a spokesperson from the Department of Justice confirmed on Wednesday.

Sullivan, who was fired from Uber in 2017, was found guilty on two counts, namely obstruction of justice and deliberate concealment of felony.

“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught,” said Stephanie Hinds, U.S. Attorney for the Northern District of California.

The case pertains to a breach at Uber’s systems that affected data of 57 million passengers and drivers. The company did not disclose the incident for a year.

In July, Uber accepted responsibility for covering up the breach and agreed to cooperate with the prosecution of Sullivan over his alleged role in concealing the hacking, as part of a settlement with U.S. prosecutors to avoid criminal charges. 

Sullivan’s lawyer David Angeli and the FTC did not immediately respond to Reuters’ requests for comment.

Sullivan was originally indicted in September 2020. Prosecutors had said at the time he arranged to pay the hackers $100,000 in bitcoin and had them sign nondisclosure agreements that falsely stated they had not stolen data.

Sullivan was also accused of withholding information from Uber officials who could have disclosed the breach to the FTC, which had been evaluating the San Francisco-based company’s data security following a 2014 breach.

In September 2018, Uber paid $148 million to settle claims by all 50 U.S. states and Washington, D.C., that it was too slow to disclose the hacking.