Joe Sullivan convicted of obstructing a government probe and concealing the theft of personal data of 50-million customers and 7-million drivers
Trouble at Swiss bank shows that many of the largest banks are too fragile and need more capital
The union offers a possible model for workers wanting to push back against large companies that take most of the profits
Uber Technologies’ former security chief Joe Sullivan was this week convicted of concealing a huge data breach in a case that prosecutors tied to the company’s troubled past under its original leadership.
Sullivan was found guilty in San Francisco federal court on Wednesday by a jury, which rejected his claim that other executives at the ride-hailing giant were aware of the 2016 hack and were responsible for it not being disclosed to regulators for more than a year.
The trial featured almost four weeks of testimony that explored cybersecurity management, as well as a shake-up at Uber in 2017, when a series of scandals drove co-founder Travis Kalanick out as CEO.
Sullivan was convicted of both charges against him, obstructing a government investigation and concealing the theft of personal data of 50-million customers and 7-million drivers.
Sullivan, a former federal prosecutor who previously headed security for Facebook, is well-known for his expertise in the field in Silicon Valley. He faces as long as eight years in prison, though his sentence will likely be far less.
“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case. Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” said David Angeli, a lawyer for Sullivan. “We will evaluate next steps in the coming days.”
Companies are required under state and federal laws to promptly disclose data breaches. Uber’s mishandling of the 2016 attack on its servers resulted in the company paying $148m in a settlement with all 50 states, which at the time was the biggest data-breach payout in US history. Uber had previously been reprimanded by the Federal Trade Commission (FTC) over a similar data breach from 2014.
“Sullivan affirmatively worked to hide the data breach from the FTC and took steps to prevent the hackers from being caught,” Stephanie Hinds, US attorney for San Francisco, said in an emailed statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”
‘Bug bounty’
Sullivan was accused of quietly arranging for Uber to pay the hackers $100,000 in bitcoin to delete the stolen data under the guise of a programme used to reward security researchers for identifying vulnerabilities, known as a “bug bounty”. In return, the two hackers agreed not to disclose that they had stolen the data. The hackers later pleaded guilty for their role in the incident.
The October 2016 hack stayed secret until the following November when it was disclosed by the new CEO, Dara Khosrowshahi, about three months into his tenure. At the same time, he fired Sullivan.
Khosrowshahi testified that after discovering inconsistencies in Sullivan’s account of what happened, he decided it was time to replace his security chief. “I couldn’t trust his judgment any more,” he said.
Sullivan’s defence was that Uber’s legal department and other managers were aware of the incident before it blew up publicly.
Angeli challenged the notion of a cover-up by pointing to Sullivan’s sharing of information with numerous employees, before Khosrowshahi arrived at the company. Jurors were shown a 1.24am text that Sullivan sent to Kalanick describing the breach less than 12 hours after it happened.
“Remember, Mr Kalanick is the top person at Uber,” Angeli said at closing arguments. “Mr Sullivan could not have reported this to someone higher up at the company.”
Prosecutors argued that Sullivan, who joined Uber in 2015, was well aware of the requirements to disclose the breach, especially after the company’s dealings with the FTC over the 2014 hack.
Sullivan, who was supposed to have improved security after the earlier breach, didn’t want the details of the new hack to get out because it would have hurt his reputation, prosecutor Ben Kingsley told jurors.
Rather than disclose it, Sullivan “prioritised his reputation, and the company’s reputation, over his obligations”, he said.
Sullivan didn’t testify, nor did Kalanick.
Bloomberg News. More stories like this are available on bloomberg.com
Would you like to comment on this article? Register (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Published by Arena Holdings and distributed with the Financial Mail on the last Thursday of every month except December and January.
Uber’s former security chief Sullivan convicted of hiding big data hack
Sullivan accused of quietly arranging for Uber to pay the hackers $100,000 in bitcoin to delete the stolen data
Image: Bloomberg
Uber Technologies’ former security chief Joe Sullivan was this week convicted of concealing a huge data breach in a case that prosecutors tied to the company’s troubled past under its original leadership.
Sullivan was found guilty in San Francisco federal court on Wednesday by a jury, which rejected his claim that other executives at the ride-hailing giant were aware of the 2016 hack and were responsible for it not being disclosed to regulators for more than a year.
The trial featured almost four weeks of testimony that explored cybersecurity management, as well as a shake-up at Uber in 2017, when a series of scandals drove co-founder Travis Kalanick out as CEO.
Sullivan was convicted of both charges against him, obstructing a government investigation and concealing the theft of personal data of 50-million customers and 7-million drivers.
Sullivan, a former federal prosecutor who previously headed security for Facebook, is well-known for his expertise in the field in Silicon Valley. He faces as long as eight years in prison, though his sentence will likely be far less.
“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case. Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” said David Angeli, a lawyer for Sullivan. “We will evaluate next steps in the coming days.”
Companies are required under state and federal laws to promptly disclose data breaches. Uber’s mishandling of the 2016 attack on its servers resulted in the company paying $148m in a settlement with all 50 states, which at the time was the biggest data-breach payout in US history. Uber had previously been reprimanded by the Federal Trade Commission (FTC) over a similar data breach from 2014.
“Sullivan affirmatively worked to hide the data breach from the FTC and took steps to prevent the hackers from being caught,” Stephanie Hinds, US attorney for San Francisco, said in an emailed statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”
‘Bug bounty’
Sullivan was accused of quietly arranging for Uber to pay the hackers $100,000 in bitcoin to delete the stolen data under the guise of a programme used to reward security researchers for identifying vulnerabilities, known as a “bug bounty”. In return, the two hackers agreed not to disclose that they had stolen the data. The hackers later pleaded guilty for their role in the incident.
The October 2016 hack stayed secret until the following November when it was disclosed by the new CEO, Dara Khosrowshahi, about three months into his tenure. At the same time, he fired Sullivan.
Khosrowshahi testified that after discovering inconsistencies in Sullivan’s account of what happened, he decided it was time to replace his security chief. “I couldn’t trust his judgment any more,” he said.
Sullivan’s defence was that Uber’s legal department and other managers were aware of the incident before it blew up publicly.
Angeli challenged the notion of a cover-up by pointing to Sullivan’s sharing of information with numerous employees, before Khosrowshahi arrived at the company. Jurors were shown a 1.24am text that Sullivan sent to Kalanick describing the breach less than 12 hours after it happened.
“Remember, Mr Kalanick is the top person at Uber,” Angeli said at closing arguments. “Mr Sullivan could not have reported this to someone higher up at the company.”
Prosecutors argued that Sullivan, who joined Uber in 2015, was well aware of the requirements to disclose the breach, especially after the company’s dealings with the FTC over the 2014 hack.
Sullivan, who was supposed to have improved security after the earlier breach, didn’t want the details of the new hack to get out because it would have hurt his reputation, prosecutor Ben Kingsley told jurors.
Rather than disclose it, Sullivan “prioritised his reputation, and the company’s reputation, over his obligations”, he said.
Sullivan didn’t testify, nor did Kalanick.
Bloomberg News. More stories like this are available on bloomberg.com
Would you like to comment on this article?
Register (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Most read
Related Articles
Uber investigates hacking incident via Slack
Data shows luxury, high-end and late model vehicles are targeted by criminals
Solana suffers hack in which about $5.2m in cryptoassets are stolen
Organised crime poses existential threat to SA, warns global crime body
‘ChinaDan’ offers hacked police records on Chinese citizens for 10 bitcoin
Published by Arena Holdings and distributed with the Financial Mail on the last Thursday of every month except December and January.