On October 5, 2022, after a monthlong jury trial, former Uber Chief Information Security Officer Joseph Sullivan was found guilty of obstructing proceedings of the Federal Trade Commission (FTC) and misprision of a felony related to failure to disclose two data breaches in 2014 and 2016. Sullivan remains on bond pending his sentencing, where he faces a maximum sentence of five years for the obstruction charge and three years for the misprision charge.
Sullivan was hired by Uber in 2015 and handled the company’s response to the FTC regarding the 2014 breach. Sullivan supervised Uber’s responses to the FTC, testified under oath to the committee regarding the company’s data protections, and supported a preliminary settlement entered into by Uber and the FTC in the summer of 2016.
However, shortly after Sullivan’s testimony in 2016, Uber fell victim to another cyber-attack.
This time hackers contacted Sullivan directly to demand a ransom in exchange for deletion of a massive quantity of stolen records involving approximately 57 million Uber users and 600,000 driver license numbers. After verifying the accuracy of the hackers’ claims, Sullivan attempted to keep the hack a secret by directing his staff to prevent any information from leaking and by negotiating non-disclosure agreements with the hackers in exchange for a $100,000 payment in bitcoin via the company’s “bug bounty” program. Meanwhile, Sullivan continued to work on the FTC’s inquiry into the 2014 data breach without disclosing the 2016 breach.
Sullivan also misled Uber’s new management and the company’s outside counsel tasked with investigating the data breach in the fall of 2017. Despite Sullivan’s efforts, the 2016 breach came to light in November 2017 after Uber’s new management disclosed it publicly and to the FTC.
Sullivan’s conviction – which is the first instance in which a senior company executive faced personal criminal liability for a third-party data breach – is part of a larger trend toward more aggressive DOJ enforcement related to cybersecurity and downstream issues. His conviction signals that DOJ will not shy away from looking to hold executives criminally accountable for company responses to data breaches, particularly if the executive is not forthcoming about a breach. It may also cause a number of professionals to rethink their career progressions.