Ex-Uber Security Head Walks Free from Court After Concealing Major Data Breach
In a landmark case, Federal Judge William Orrick has sentenced Joseph Sullivan, Uber's former head of cybersecurity, to a term of probation for his role in covering up a massive security breach at Uber that occurred in 2016. The breach exposed personal data of millions of Uber users worldwide, but instead of reporting it to authorities, Sullivan and Uber executives paid hackers $100,000 to delete the data and keep the breach secret.
The breach involved hackers stealing personal information of 57 million Uber users, including names, phone numbers, email addresses, and personal information, along with the drivers' licenses of 600,000 Uber drivers. Despite the severity of the incident, Uber did not make any mention of the breach to the public at the time.
Sullivan was criminally charged with obstruction of justice related to the concealment of the breach. In October 2022, he was convicted of these charges, marking one of the rare instances of a cybersecurity executive facing criminal penalties for mishandling a breach.
Prosecutors previously argued for up to several years in prison for Sullivan, but Judge Orrick showed leniency due to the unusual nature of the case and it being the first of its kind. The judge stated that Sullivan's supposed character, as attested by numerous letters of support, was a factor in his decision.
Uber has been trying to improve its image following the breach, being more willing to show users what kind of data it has on them. However, the company still plans to use more of customers' data to conduct native advertising while in-app.
The 2016 breach came to light years later, leading to federal charges against Sullivan. It's unclear if the hacked data was ever truly deleted, despite Sullivan's attorneys arguing that the hackers signed nondisclosure agreements stating they destroyed all the hacked data.
The case has highlighted the legal risks of not properly disclosing data breaches and the importance of transparency in cybersecurity incident responses. Uber also faced a $148 million penalty related to the 2016 breach, settling with regulators for failing to protect user data adequately.
The ex-Uber CEO Dara Khosrowshahi discovered the 2016 security breach and coverup after coming onto the scene. Sullivan's attorneys have emphasized his devotion to his family and "staunch commitment to public service."
Sullivan filed a petition urging a US federal court to rehear the conviction, arguing for its overturn based on legal or procedural grounds, though the final outcome of this appeal remains pending as of July 2025.
In a more recent incident, the LAPSUS$ gang managed to access Uber's internal network and Slack channel in 2022, a breach that Uber was quicker to provide details on compared to its previous hacks.
- Gizmodo reported on the legal risks of not disclosing data breaches, citing the case of Joseph Sullivan, Uber's former head of cybersecurity, who was sentenced to a term of probation for covering up the 2016 breach that exposed personal data of millions of Uber users.
- The future of Uber's tech and cybersecurity strategies remains uncertain as Sullivan filed a petition urging a US federal court to rehear his conviction, arguing for its overturn based on legal or procedural grounds, though the final outcome of this appeal remains pending as of July 2025.
- In the general-news landscape, the Sullivan case serves as a reminder of the importance of transparency in technology and cybersecurity incident responses, with the case marking one of the rare instances of a cybersecurity executive facing criminal penalties for mishandling a breach.
- Despite the severity of the 2016 breach and the subsequent legal consequences for Sullivan, Uber continues to push the boundaries of tech and data usage, planning to use more of customers' data to conduct native advertising while in-app, raising concerns about privacy and security in the tech industry.
