Ex-Uber security chief accused of hushing database breach must face fraud charges
Company execs and their lawyers are paying close attention to this one
A US judge yesterday threw out an attempt to dismiss wire fraud charges against a former Uber employee accused of trying to cover up a computer crime.
Former Uber security chief Joseph Sullivan is set to face criminal charges after US District Judge William Orrick yesterday [PDF] rejected his claim that prosecutors did not "adequately" allege that the goal of the claimed misrepresentation of the security breach was to get Uber's drivers to stay with the platform and continue paying service fees.
In December last year, a federal grand jury handed down a superseding indictment adding wire fraud to the list of charges pending against Sullivan for his role in the alleged attempted cover-up of the 2016 security breach at Uber. The incident led to around 57 million user and driver records being stolen.
In 2020, Sullivan — who had also worked for eBay, Facebook, and PayPal — was charged with obstruction of justice and misprision (concealing knowledge of a crime from law enforcement) by the US District Attorney for Northern California, another former employer.
"Although the superseding indictment does not state that Sullivan made any misrepresentations directly to those drivers, it does allege that misrepresentations made to others were part of his scheme to defraud them. That is enough for the wire fraud counts to proceed. The motion is denied," yesterday's order, handed down in a San Francisco court, says.
- Rows, columns, and the search for a database that can do everything
- Big Tech's maps led ride-sharing giant Grab astray
- Enemies Waymo, Uber now friends making self-driving-ish trucks for US highways
- Uber: Hackers stole 57 million passengers, drivers' info. We also bribed the thieves $100k to STFU
Uber ended Sullivan's employment after it learned of the extent of the security breach.
Prosecutors accused the former CSO of arranging to pay the perpetrators $100,000 in bitcoin while also making them sign nondisclosure agreements that falsely stated they had not stolen data.
In September 2018, Uber paid $148 million to settle claims by all 50 US states and Washington, DC that it had been too slow to reveal the security breach.
According to legal professionals who spoke to newswire Law360 when the 2020 indictment was filed, this is the first time a US company exec "has faced criminal liability for allegedly covering up a data breach," a situation that may have companies in similar positions, and their lawyers, watching this case very closely. ®
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Remote Access Trojan
- RSA Conference
- Trusted Platform Module
- Zero trust