Skip to content

Uber’s Former CSO Convicted of Crimes Related to Data Breach

Why This Privacy Law is Important:

In October 2022, a jury found Uber’s former chief security officer guilty of two crimes associated with a data breach at the transportation company. It is the first criminal conviction of a senior executive for obstructing an investigation into cybersecurity program compliance and concealing a cyber incident from regulators.


On October 5, 2022, a federal jury in the Northern District of California returned guilty verdicts against Joseph Sullivan on two counts: obstruction of justice and misprision of a felony. The charges stem from the role Sullivan played in responding to a 2016 data breach that compromised personal information from 57 million Uber passengers and drivers. Ironically, Sullivan once served as a federal cybercrime prosecutor for the very same US Attorney’s Office that earned the verdicts.
In November 2016, hackers broke into Uber’s database and downloaded millions of personal records. At the time, Uber was already under investigation by the Federal Trade Commission for a data breach that had occurred in 2014 and was reported to the FTC in 2015. Sullivan, who was heavily involved in responding to the FTC investigation in his role as deputy general counsel, organized a ransom payment of $100,000 in Bitcoin, under the guise of a payment through Uber’s bug bounty program.

Download the Privacy Alert to the right to get the full text and expert analysis