A criminal complaint was filed last week in federal court charging Joseph Sullivan with obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies Incorporated. The charges were announced by United States Attorney David L. Anderson and FBI Deputy Special Agent in Charge Craig D. Fair.
According to the complaint, between April 2015 and November 2017, Sullivan, 52, of Palo Alto, Calif., served as Uber’s Chief Security Officer. During this time, two hackers contacted Sullivan by email and demanded a six-figure payment in exchange for silence. The hackers ultimately revealed that they had accessed and downloaded an Uber database containing personally identifying information, or PII, associated with approximately 57 million Uber users and drivers. The database included the drivers’ license numbers for approximately 600,000 people who drove for Uber. The criminal complaint alleges that Sullivan took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach.
“Silicon Valley is not the Wild West,” said U.S. Attorney Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
“Concealing information about a felony from law enforcement is a crime,” said Deputy Special Agent in Charge Fair. “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
The complaint describes how Sullivan played a pivotal role in responding to FTC inquiries about Uber’s cyber security. Uber had been hacked in September of 2014 and the FTC was gathering information about that 2014 breach. The FTC demanded responses to written questions and required Uber to designate an officer to provide testimony under oath on a variety of topics. Sullivan assisted in the preparation of Uber’s responses to the written questions and was designated to provide sworn testimony on a variety of issues. On November 14, 2016, approximately 10 days after providing his testimony to the FTC, Sullivan received an email from a hacker informing him that Uber had been breached again. Sullivan’s team was able to confirm the breach within 24 hours of his receipt of the email.
Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC. For example, Sullivan sought to pay the hackers off by funneling the payoff through a bug bounty program—a program in which a third party intermediary arranges payment to so-called “white hat” hackers who point out security issues but have not actually compromised data. Uber paid the hackers $100,000 in BitCoin in December 2016, despite the fact that the hackers refused to provide their true names. In addition, Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data. When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements. Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained. Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017. Since that time, Uber has responded to additional government inquiries.
The criminal complaint also alleges Sullivan deceived Uber’s new management team about the 2016 breach. Specifically, Sullivan failed to provide the new management team with critical details about the breach. In August of 2017, Uber named a new Chief Executive Officer. In September 2017, Sullivan briefed Uber’s new CEO about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.
The two hackers identified by Uber were prosecuted in the Northern District of California. Both pleaded guilty on October 30, 2019, to computer fraud conspiracy charges and now await sentencing. The criminal complaint makes clear that “both [hackers] chose to target and successfully hack other technology companies and their users’ data” after Sullivan failed to bring the Uber data breach to the attention of law enforcement.
In sum, Sullivan is charged with obstruction of justice, in violation of 18 U.S.C. § 1505; and misprision of a felony, in violation of 18 U.S.C. § 4.
Sullivan’s initial federal court appearance has not yet been scheduled.
A complaint merely alleges that crimes have been committed, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt. If convicted, Sullivan faces a maximum statutory penalty of five years in prison for the obstruction charge and a maximum three years on prison for the misprision charge. However, any sentence following conviction would be imposed by the court after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.
The case is being prosecuted by the Corporate Fraud Strike Force of the U.S. Attorney’s Office. The prosecution is the result of an investigation by the FBI.