By Rick Cruz
Last month, a panel of jurors found Joe Sullivan, former Uber Head of Security, guilty of obstruction. The former executive is being charged for a cyber security incident in 2016, when he actively hid news of a massive security breach from public knowledge during a Federal Trade Commission (FTC) Investigation.
Sullivan onboarded with the global company in 2015 as the Chief of Security. At the time, the ridesharing company had recently endured one of its largest security breaches yet, in which hackers gained access to sensitive information of over 100,000 drivers. The massive 2014 security breach garnered widespread public attention and prompted an internal investigation by the FTC.
During the investigation, Sullivan withheld crucial information of another cyber attack from the federal agency.
Ten days after providing sworn testimony to the FTC, Sullivan was contacted by two hackers that informed him that they had retrieved the private information of thousands of customers and demanded that Sullivan pay them a total of $100,000. Rather than report this information to the government, Sullivan elected to maintain the security breach from reaching the public by urging his team to maintain silence.
Sullivan ultimately paid out the hackers the entire $100,000 ransom they leveraged. Sullivan did this by paying the two hackers through Uber’s Bug Bounty program. A program in which the company recruits hackers to intentionally hack through their system in order to find any defects that malicious hackers may use to gain access to private information.
Stephanie Hinds, a US legal attorney for San Francisco, offered her view on the former executive’s actions: “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” said Hinds. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”
The four-week trial ended recently in San Francisco where the platform is headquartered. Jurors deliberated for 19 hours before finding Sullivan guilty of one charge of obstruction of justice and another of misprision of a felony. Sullivan may face up to a total of 8 years and a $500,000 fine.
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI Special Agent In Charge Tripp. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”
This news forces the millions of customers of Uber to lose confidence in the platform’s ability to keep their information safe from malicious hackers
Sullivan is currently out free on bail and is awaiting a sentencing hearing.
Rick is a current Senior at UC Berkeley studying English. He is from the Los Angeles Area and writes for the Social Justice Desk of the Vanguard at Berkeley. He loves any thrilling outdoor activies such as camping, fishing, bungee jumping and skydiving.