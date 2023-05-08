Sullivan, 54, had just taken charge of Uber's network security when the Federal Trade Commission began investigating the company for a 2014 data breach. He played a key role in explaining Uber's security program to the FTC, testifying under oath on how the company was dealing with cybersecurity issues.
However, ten days after his testimony in November 2016, Sullivan was informed of another hack. The breach featured the same vulnerability uncovered in 2014. The 2016 attack affected the records of around 57 million Uber riders and drivers.
But instead of disclosing the breach, Sullivan reportedly orchestrated a cover up to keep the FTC in the dark, including by paying off the hackers and having them sign non-disclosure agreements swearing not to tell anyone about the breach.
Sullivan and a lawyer on his team put the agreements together, misrepresenting that the hackers did not take or keep any data uncovered in the breach. He continued working with the FTC on the agency's investigation without disclosing the latest attack. But in the fall of 2017, things began to unravel as a new Uber management began investigating the 2016 incident. When Uber’s new CEO, Dara Khosrowshahi, asked Sullivan what had happened, Sullivan lied, saying that the hackers did not steal any data.
He also lied to outside lawyers with Uber also investigating the incident, the Justice Department said. A jury found Sullivan guilty of two felonies in October 2022.