The former chief security officer (CSO) of Uber has been charged by a federal grand jury with three counts of wire fraud for allegedly failing to inform several hundred thousand Uber drivers that their driver’s licenses had been exposed during an embarrassing 2016 breach and cover-up at the popular ride-sharing service.
The superseding charges made to Joe Sullivan followed original charges of obstruction of justice and concealing a felony in August 2020. Prosecutors claim that Sullivan should have reported the 2016 breach to authorities, a breach that exposed the personal information of 57 million riders, including some 600,000 drivers.
Uber paid a $148 million settlement to the 50 states and the District of Columbia in 2018, but the separate criminal charges against Sullivan moved forward. If convicted of the 2020 charges, Sullivan faces up to eight years in prison and a $500,000 fine. The superseding wire fraud charges pertaining to not informing the Uber drivers carry a maximum sentence of 20 years and a $250,000 fine.
A court date for Sullivan, who now serves as Cloudflare’s CSO, has not been set.
John Bambenek, principal threat hunter at Netenrich, said the problem with breach notification laws are that they are difficult to enforce because “regulators don’t know what they don’t know.”
“In this case, they allege there was a concealment of a breach and are charging it in criminal court,” Bambenek said. “If successful, this will do more to encourage breach notifications than any changes to the law.”
Jake Williams, co-founder and CTO at BreachQuest, said while he thinks more robust breach notification laws are needed, he’s not sure that this case really highlights that need. Williams said as he understands it, initial charges were filed because the FTC was already investigating Uber’s security and privacy practices and the defendant misled investigators about it.
“The superseding indictment with the wire fraud charges doesn’t really point to the need for more, or better, breach disclosure regulations,” Williams said. “This whole case is about the defendant intentionally withholding data from federal investigators — always a losing move. If he’s willing to break the law there, he certainly wouldn’t have cared about other disclosure regulations. The government is making an example of Sullivan to ensure it has easier access to data in other investigations.”