Please E-mail suggested additions, comments and/or corrections to Kent@MoreLaw.Com.

Help support the publication of case reports on MoreLaw

Date: 10-06-2022

Case Style:

United States of America v. Joseph Sullivan

Case Number: 3:20-cr-00337

Judge: William H. Orrick

Court: United States District Court for the Northern District of California (San Francisco County)

Plaintiff's Attorney: United States Attorney’s Office

Defendant's Attorney:




Click Here to Watch How To Find A Lawyer by Kent Morlan


Click Here For The Best San Francisco Criminal Defense Lawyer Directory


If no lawyer is listed, call 918-582-6422 and MoreLaw will help you find a lawyer for free.

Description: San Francisco, California criminal law lawyer represented Defendant charged with obstruction of justice and misprison of a felony.

Joseph Sullivan, the former Chief Security Officer of Uber Technologies, Inc. ("Uber") was charged with obstruction of proceedings of the Federal Trade Commission (“FTC”) and misprision of felony in connection with his attempted cover-up of a 2016 hack of Uber.

“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said U.S. Attorney Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”

“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” said FBI Special Agent In Charge Tripp. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain."

The circumstances regarding Sullivan’s violations of the law involve two separate hacks of Uber’s databases—one in 2014 and another in 2016. The evidence at trial established that Sullivan was hired as Uber’s Chief Security Officer (“CSO”) in April 2015. At that time, Uber had recently disclosed to the FTC that it had been the victim of a data breach in 2014 (“2014 Data Breach”) and that the breach related to the unauthorized access of approximately 50,000 consumers’ personal information, including their names and driver’s license numbers. In the wake of that disclosure, the FTC’s Division of Privacy and Identity Protection embarked on an investigation of Uber's data security program and practices. In May 2015, the month after Sullivan was hired, the FTC served a detailed Civil Investigative Demand on Uber, which demanded both extensive information about any other instances of unauthorized access to user personal information, and information regarding Uber’s broader data security program and practices.

The evidence at trial demonstrated that Sullivan, in his new role as CSO, played a central role in Uber's response to the FTC. Specifically, Sullivan supervised Uber’s responses to the FTC’s questions, participated in a presentation to the FTC in March 2016, and testified under oath, at length, to the FTC on November 4, 2016, regarding Uber’s data security practices. Sullivan’s testimony included specific representations about steps he claimed Uber had taken to keep customer data secure.

Exactly ten days after his FTC testimony, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly, via email, on November 14, 2016. The hackers informed Sullivan and others at Uber that they had stolen a significant amount of Uber user data, and they demanded a large ransom payment from Uber in exchange for their deletion of that data. Employees working for Sullivan quickly verified the accuracy of these claims and the massive theft of user data, which included records on approximately 57 million Uber users and 600,000 driver license numbers.

The evidence demonstrated that, shortly after learning the extent of the 2016 breach and rather than reporting it to the FTC, any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC. For example, Sullivan told a subordinate that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist.” Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack. Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers had refused to provide their true names. Uber was ultimately able to identify the two hackers in January of 2017 and required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else. Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies.

The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them. Instead, he touted the work that he and his team had done on data security. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016, supported fully by Sullivan, without disclosing the 2016 data breach to the FTC.

In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO that had happened, Sullivan lied, falsely telling the CEO that the hackers had only been paid after they were identified and deleting from a draft summary prepared by one of his reports that the hack had involved personally identifying information and a very large quantity of user data. Sullivan lied again to Uber’s outside lawyers conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017.

In addition, the two hackers identified by Uber were ultimately prosecuted in the Northern District of California. Both pleaded guilty on October 30, 2019, to computer fraud conspiracy charges and now await sentencing. The separate guilty pleas entered by the hackers demonstrate that after Sullivan assisted in covering up the the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity—Lynda.com—and attempt to ransom that data as well.

In finding Sullivan guilty, the jury concluded he obstructed justice, in violation of 18 U.S.C. § 1505, and that he committed misprision of felony (i.e., knew that a federal felony had been committed and took affirmative steps to conceal that felony), in violation of 18 U.S.C. § 4. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge. However, any sentence following conviction would be imposed by the court after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.

Sullivan remains free on bond pending sentencing. His sentencing will be set at a later date.

The case is being prosecuted by the Corporate and Securities Fraud Section of the U.S. Attorney’s Office. The prosecution is the result of an investigation by the FBI.

18:1505 - Obstruction of Proceedings before the Federal Trade Commission
(1)

Whoever, with intent to avoid, evade, prevent, or obstruct compliance, in whole or in part, with any civil investigative demand duly and properly made under the Antitrust Civil Process Act, willfully withholds, misrepresents, removes from any place, conceals, covers up, destroys, mutilates, alters, or by other means falsifies any documentary material, answers to written interrogatories, or oral testimony, which is the subject of such demand; or attempts to do so or solicits another to do so; or

Whoever corruptly, or by threats or force, or by any threatening letter or communication influences, obstructs, or impedes or endeavors to influence, obstruct, or impede the due and proper administration of the law under which any pending proceeding is being had before any department or agency of the United States, or the due and proper exercise of the power of inquiry under which any inquiry or investigation is being had by either House, or any committee of either House or any joint committee of the Congress—

Shall be fined under this title, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in section 2331), imprisoned not more than 8 years, or both.

18:4 - Misprision of a Felony
(2)

Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.

18:1343 - Wire Fraud
(3s-5s)

Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation occurs in relation to, or involving any benefit authorized, transported, transmitted, transferred, disbursed, or paid in connection with, a presidentially declared major disaster or emergency (as those terms are defined in section 102 of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. 5122)), or affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.

Outcome: Defendant was found guilty of Federal Charges For Covering Up Data Breach Involving Millions Of Uber User Records.

Plaintiff's Experts:

Defendant's Experts:

Comments:



Find a Lawyer
Subject:
City:
State:
 

Find a Case
Subject:
County:
State: