Uber’s Former Security Chief Convicted of 2016 Data Breach Cover-Up

Uber’s former chief security officer was convicted of federal charges for illegally covering up the theft of Uber drivers’ and customers’ personal information in 2016.

Joe Sullivan was originally charged in 2020 with obstruction of justice and misprision. He was convicted on both counts on Wednesday October 5, 2022.

The news comes five years after Uber CEO Dara Khosrowshahi issued a statement acknowledging that in late 2016, hackers had broken into the ride-hailing giant’s infrastructure and stolen 57 million customer and driver records. 

At the time, Sullivan and Craig Clark, legal director of security and law enforcement, were consequently fired as a result.

A year later, in 2017, court documents showed Sullivan had learned of the theft in November 2016 but tried to cover up that theft by trying to disguise the ransom payment made to the threat actors to recover the data as a bug bounty award.

“In years gone by, companies would attempt to cover up their data breaches in the thought that this would impact the business less,” Jake Moore, global cybersecurity advisor at ESET, tells Infosecurity Magazine.

“However, with data thefts growing in huge swathes across all industries along with the introduction of GDPR, it is now far more noble to own up to a breach and offer support and help to those affected in a timely manner.”

According to the executive, time is of the essence in a data breach where private information has been stolen, so customers must be alerted immediately.

“It is now even mildly expected that a company will be attacked and potentially have a data leak; therefore, it is more interesting to monitor how a company owns up to a breach and handles the aftermath of the breach.”

Sullivan’s conviction comes weeks after Uber was compromised again. This time, the tech giant blamed the Lapsus$ group for the breach.