Uber's Former Head of Security Convicted Over Concealing 2016 Data Breach

The 2016 Uber hack exposed the personal data of 57 million people but wasn't disclosed for a year.

Corinne Reichert Senior Editor
Corinne Reichert (she/her) grew up in Sydney, Australia and moved to California in 2019. She holds degrees in law and communications, and currently writes news, analysis and features for CNET across the topics of electric vehicles, broadband networks, mobile devices, big tech, artificial intelligence, home technology and entertainment. In her spare time, she watches soccer games and F1 races, and goes to Disneyland as often as possible.
Expertise News, mobile, broadband, 5G, home tech, streaming services, entertainment, AI, policy, business, politics Credentials
  • I've been covering technology and mobile for 12 years, first as a telecommunications reporter and assistant editor at ZDNet in Australia, then as CNET's West Coast head of breaking news, and now in the Thought Leadership team.
Corinne Reichert
2 min read
A phone screen showing the Uber logo
Angela Lang/CNET

Uber's former head of security, Joe Sullivan, was found guilty in a federal court Wednesday of concealing a 2016 data breach for more than a year. A jury rejected Sullivan's argument that other Uber executives were aware of the data breach and responsible for it not being publicly disclosed for over a year, according to Bloomberg.

Sullivan was convicted of obstructing justice by keeping the breach hidden from the Federal Trade Commission and actively hiding a felony by authorizing payments to the hacker responsible, according to the Washington Post.

The 2016 Uber hack exposed the personal data of 57 million drivers and users of the ride-sharing app, including names, email addresses and driver's license numbers.

The hack occurred in October 2016 but wasn't disclosed publicly until November 2017. Uber learned of the data breach in November 2016 and paid $100,000 for the cyber thief to delete the information.

In September 2018, Uber reached a settlement with all 50 US states and the District of Columbia to pay $148 million for failing to report the hack.

Uber didn't immediately respond to a request for comment.

Uber was again breached by a cyber attacker last month, with Uber laying the blame on hacking group Lapsus$, which has breached Microsoft, Cisco, Samsung, Nvidia, Okta and Rockstar Games in 2022. 

Uber said last month's hack likely involved a contractor's personal device becoming infected with malware when they accepted a verification notification, leading to their credentials becoming exposed. The employee's credentials were then likely purchased from the dark web. Uber says no personal data was compromised.