Skip to Content

Former Uber CSO sentenced in Data Breach Investigation

on Tuesday, 23 May 2023 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

On May 5, 2023, Joseph Sullivan, the former Chief Security Officer (CSO) for Uber Technologies, Inc. (“Uber”), was sentenced to 3 years of probation, a fine of $50,000, and 200 hours of community service.[1]  The sentence was for the actions of Sullivan in trying to cover-up a cyber-hack of Uber driver information. 

Sullivan’s tenure as Uber’s CSO began in 2014 after Uber suffered a cyber-attack.  Although Sullivan was not CSO at the time of the initial cyber-attack, he testified in March of 2016 regarding security changes Uber had implemented.  Uber enhanced security on its network and added security measures to protect the encryption keys for information maintained on Amazon Web Services (AWS).  Sullivan testified that the changes would ensure the data was safe and no longer subject to the same vulnerabilities as in the 2014 hack.

Ten days after the testimony, Sullivan learned that cyber-attackers had stolen personal information of Uber drivers using the same security flaws used in the 2014 hack.  Instead of disclosing the new data theft, Sullivan initiated a cover-up by trying to describe the hack as the result of a bug-bounty program at Uber.[2]  However, Sullivan knew that “[a]t this time, the terms of Uber’s “bug bounty” program clearly excluded the precise technique employed by the hackers.”[3]

Sullivan also led other members of his team to believe that he was briefing Uber executives on the response to the hack.  This posturing was designed to keep his team from talking to others or in any way disclosing the hack by leading them to believe he was addressing the issue with the executive team.

The judge in the sentencing noted that while Sullivan was receiving probation, the next CSO who might engage in such behavior may be subjected to jail or prison.

While the facts and circumstances of the Uber hacks are unlikely to be repeated, the case should serve as a warning that attempts to cover up or not report cybersecurity incidents may lead to criminal charges and consequences.  Therefore, companies should take care to investigate possible data thefts thoroughly and disclose and report data breaches in a timely manner.

[1] United States v. Sullivan (3:20-cr-00337), Document Number 257

[2] United States v. Sullivan (3:20-cr-00337), Document Number 254, pg. 7

[3] IBID

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500