August 21, 2020

Former Uber security chief charged with obstruction of justice in connection with 2016 data breach

On August 20, 2020, Joseph Sullivan, who served as Chief Security Officer for Uber Technologies Inc. from April 2015 to November 2017, was charged in the US District Court for the Northern District of California with one count each of obstruction of justice, in violation of 18 U.S.C. § 1505, and misprision of a felony, in violation of 18 U.S.C. § 4.

The charges relate to the November 2016 hack of Uber’s computer systems.  The complaint alleges that Sullivan concealed evidence of the hack, instructed his team to keep knowledge of the breach tightly controlled, falsely reported that no data was compromised, used the company’s white-hat hacker reward program to pay the hackers $100,000, and lied to the company and federal authorities about the events. 

The nature and extent of the hack were discovered by new management brought into the company in 2017, although, according to the complaint, Sullivan lied to the new CEO about the circumstances surrounding the data breach.  Uber’s new management disclosed the breach to the US Federal Trade Commission in November 2017, and Sullivan’s employment was terminated at around the same time.