Skip to main content
close search
site logo
Dive Brief

Ex-Uber security chief loses hack cover-up case, faces prison

Published Oct. 6, 2022
Robert Freedman's headshot
Lead Editor
Uber Allows Employees To Return To Work At Headquarters At 20% Capacity
SAN FRANCISCO, CALIFORNIA. A sign is posted on the exterior of the new Uber headquarters on March 29, 2021 in San Francisco, California. Justin Sullivan / Staff via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • In what some analysts think could be the start of an era, former Uber security chief Joe Sullivan faces up to eight years in prison for folding a 2016 hacking into the company's ‘bug bounty’ program rather than reporting it to the Federal Trade Commission.  
  • “It wasn’t that long ago that it was pretty rare for senior leaders even to be fired in the aftermath of a breach,“ Scott Shackelford, a professor of business law and ethics at Indiana University, told The Wall Street Journal
  • Now, he said, “This could be the first of many criminal prosecutions.”

Dive Insight:

Sullivan was found guilty of criminal obstruction charges in San Francisco on October 5 after a three-week trial in which he argued he had protected the records of almost 60 million customers by convincing hackers to become, post-breach, part of the company’s bug bounty program.  

Under that program, the company pays hackers to find vulnerabilities in its systems so it can seal them before they’re hacked for real. 

In this case, Sullivan, already dealing with an FTC review of a 2014 hack, worked with a member of Uber’s in-house legal team to bring the hackers, if they promise not to expose the data, into the bounty program in exchange for a $100,000 crypto payment. 

Sullivan reasoned that, as part of the bounty program, the breach didn’t need to be reported to the FTC. 

“Mr. Sullivan believed that their customers’ data was safe and that this was not some incident that needed to be reported,” Sullivan’s attorney, David Angeli, said in closing arguments, the Journal reported. “There was no coverup and there was no obstruction.” 

In deciding as it did, the jury thought otherwise. 

Earlier in the trial, Craig Clark, a former member of Uber’s in-house legal team, testified that Sullivan asked him to find a way to fold the hack into the bounty program so it wouldn’t have to be reported.

“I remember Joe asking or saying, ‘How can we fit this into bug bounty?’” Clark testified

Clark said he drafted an agreement for the hackers to sign, which Sullivan then changed to make it sound like the hackers had never obtained the customer data when in fact they had.  

“The x’ing out of ‘obtained’ was where it changed from an accurate statement to an inaccurate statement,” Clark said. 

As a result of his conviction, Sullivan faces a potential five-year sentence on the obstruction charge and up to three years for failing to report a felony.

“You can’t put a company in jail,” Chinmayi Sharma, a legal scholar in residence at the University of Texas at Austin, told The New York Times. “You can put an executive in jail. Now, that is on the table.”

Recommended Reading

Filed Under: Emerging Issues

Editors' picks

Company Announcements

View all | Post a press release
ContractCrab Launches AI Contract Review for In-House Legal Teams
From ContractCrab
November 14, 2024
Breaches and Bots: Law Firms Face a Trust Crisis with Clients, New Integris Survey Reveals
From Integris
November 18, 2024
Trellis Launches Trellis AI to Revolutionize Trial Court Litigation
From Trellis
November 19, 2024
Editors' picks
Latest in Emerging Issues
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell