Breach, Threat Management

Former Uber CSO hit with federal wire fraud charges for 2016 breach

SAN FRANCISCO, CALIFORNIA – MARCH 29: A sign is posted on the exterior of the new Uber headquarters on March 29, 2021 in San Francisco, California. Uber is allowing some employees to return to work at their newly opened headquarters that was completed during the pandemic. San Francisco has entered the orange tier of reopening which allows non...

The former chief security officer (CSO) of Uber has been charged by a federal grand jury with three counts of wire fraud for allegedly failing to inform several hundred thousand Uber drivers that their driver’s licenses had been exposed during an embarrassing 2016 breach and cover-up at the popular ride-sharing service.

The superseding charges made to Joe Sullivan followed original charges of obstruction of justice and concealing a felony in August 2020. Prosecutors claim that Sullivan should have reported the 2016 breach to authorities, a breach that exposed the personal information of 57 million riders, including some 600,000 drivers.

Uber paid a $148 million settlement to the 50 states and the District of Columbia in 2018, but the separate criminal charges against Sullivan moved forward. If convicted of the 2020 charges, Sullivan faces up to eight years in prison and a $500,000 fine. The superseding wire fraud charges pertaining to not informing the Uber drivers carry a maximum sentence of 20 years and a $250,000 fine.

A court date for Sullivan, who now serves as Cloudflare’s CSO, has not been set.

John Bambenek, principal threat hunter at Netenrich, said the problem with breach notification laws are that they are difficult to enforce because “regulators don’t know what they don’t know.”

“In this case, they allege there was a concealment of a breach and are charging it in criminal court,” Bambenek said. “If successful, this will do more to encourage breach notifications than any changes to the law.”

Jake Williams, co-founder and CTO at BreachQuest, said while he thinks more robust breach notification laws are needed, he’s not sure that this case really highlights that need. Williams said as he understands it, initial charges were filed because the FTC was already investigating Uber’s security and privacy practices and the defendant misled investigators about it.

“The superseding indictment with the wire fraud charges doesn’t really point to the need for more, or better, breach disclosure regulations,” Williams said. “This whole case is about the defendant intentionally withholding data from federal investigators — always a losing move. If he’s willing to break the law there, he certainly wouldn’t have cared about other disclosure regulations. The government is making an example of Sullivan to ensure it has easier access to data in other investigations.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.