Joseph Sullivan, 52, of Palo Alto, Calif., the former Chief Security Officer of Uber Technologies, has been charged with obstruction of justice and misprision of a felony for orchestrating a cover-up of a massive 2016 data breach that compromised the personal information of 57 million Uber users and drivers. Federal prosecutors unsealed a criminal complaint in San Francisco detailing how Sullivan allegedly concealed the hack from federal regulators and paid hush money to the perpetrators in exchange for silence.
The breach, disclosed in a cyberattack that occurred in late 2016, exposed sensitive personally identifying information, including drivers’ license numbers for approximately 600,000 U.S. drivers. Two hackers contacted Sullivan directly, demanding a six-figure payment. Instead of reporting the breach to authorities, Sullivan allegedly funneled $100,000 in Bitcoin to the hackers through Uber’s bug bounty program—an initiative meant to reward ethical hackers, not cybercriminals who steal data. The payment was disguised as a legitimate security reward, despite the hackers refusing to disclose their real identities.
Sullivan’s role became even more incriminating when he directed the creation of false non-disclosure agreements that claimed the hackers had not accessed or stored any data. When an Uber employee questioned the false language, Sullivan insisted it remain. Later, after Uber’s internal team identified the two hackers, Sullivan arranged for them to sign new NDAs under their real names—again containing the same fabricated claim that no data was taken. These actions were designed to mislead both the company and federal investigators.
The cover-up unraveled while Sullivan was under scrutiny from the Federal Trade Commission, which was already investigating Uber’s cybersecurity practices following a 2014 breach. Sullivan had helped prepare Uber’s responses to the FTC and was designated to testify under oath. Just 10 days after giving sworn testimony on November 4, 2016, he was informed of the new breach—yet he concealed it from regulators. His actions allegedly obstructed the FTC’s oversight and violated federal reporting obligations.
“Silicon Valley is not the Wild West,” said U.S. Attorney David L. Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.” The DOJ’s message is clear: executives who enable cybercriminals to evade justice will face criminal consequences.
“Concealing information about a felony from law enforcement is a crime,” added FBI Deputy Special Agent in Charge Craig D. Fair. “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.” The case, now in federal court, marks a rare criminal prosecution of a top corporate security executive for covering up a cyberattack.
Related Federal Cases
- Pittsburgh Hacker Gets Probation in Law Firm Breach · Pennsylvania
- Navy Sailor Busted for Selling Secrets to China · California
- Gamer Targeted: 2 Years for Online Stalker · California
- UAE Cyber Crook Gets 8+ Years for $8M Scam · Illinois
- Yevgeniy Nikulin Hacked LinkedIn, Dropbox, Formspring · California
Key Facts
- State: California
- Agency: DOJ USAO
- Category: Cybercrime
- Source: Official Source ↗
🔒 Get the grimiest stories delivered weekly. Subscribe free →
Browse More
