A federal grand jury has charged Uber’s former chief security officer (CSO) with three counts of wire fraud for reportedly failing to inform several hundred thousand Uber drivers that their driver’s licenses had been exposed during a 2016 breach.
The superseding charges made to Joe Sullivan, 52, who served as Uber’s CSO from April 2015 through November 2017, followed original charges in August 2020 of obstruction of justice and concealing a felony. If convicted of those charges, Sullivan faces up to eight years in prison and a $500,000 fine.
Prosecutors claim that Sullivan should have reported the 2016 breach to authorities, a breach that exposed the personal information of 57 million riders, including some 600,000 drivers.
In 2018, Uber paid a $148m settlement to the 50 states and the District of Columbia. Notwithstanding, the separate criminal charges against Sullivan progressed. Sullivan faces up to eight years in prison and a $500,000 fine if convicted of the 2020 charges.
A court date for Sullivan, who now serves as Cloudflare’s CSO, has not been set.
“Institutions that store personal information of others must comply with the law,” said Stephanie M. Hinds, the acting U.S. Attorney for the Northern District of California, where Sullivan formerly served as a federal prosecutor.
“When hacks like this occur, state law requires notice to victims,” Hinds said. “Federal law also requires truthful answers to official government inquiries. The indictment alleges that Sullivan failed to do either.
"We allege Sullivan falsified documents to avoid the obligation to notify victims and hid the severity of a serious data breach from the FTC, all to enrich his company.”