The conviction of former Uber chief security officer Joe Sullivan on obstruction of justice and misprision of a felony charges has been upheld by by the U.S. Court of Appeals for the Ninth Circuit in San Francisco, California. The charges related to his attempted cover up of a security breach at Uber when hackers stole personal data of 57 million customers and the information of thousands of Uber drivers. The trial of Mr. Sullivan was the first federal prosecution of a corporate executive in the United States for the mishandling of a data breach.

1. Introduction

On March 13, 2025, the United States Court of Appeals for the Ninth Circuit, in San Francisco, California, released the opinion in U.S. v. Joseph Sullivan affirming his convictions for obstruction of justice and misprision of a felony by a jury in the District Court for the Northern District of California. (here) The convictions stemmed from his efforts, while Chief Security Officer for Uber Technologies Inc., to cover up a major data breach while Uber was undergoing an investigation by the U.S. Federal Trade Commission into the company’s data security practices. He had been sentenced to three years probation by Judge William Orrick III who rejected a bid by prosecutors for a 15 month prison sentence during a sentence proceeding described for The Record by tech journalist Jonathan Greig as “a tense hearing that involved deep debates over how cybersecurity executives should handle law enforcement investigations.” (here)

2. How the Cover Up Unfolded

In 2014 a hacker discovered an Amazon Web Services key – a type of log-in – embedded in code displayed publicly on GitHub, a platform on which developers store code. The hacker used the key to access data that Uber stored privately on AWS. The hacker then downloaded sensitive information pertaining to tens of thousands of Uber drivers from the AWS database. Shortly after the breach became public, the FTC started an investigation into Uber’s security practices including the storage of rider and driver information on AWS and the company’s “alleged deceptive statements” about those practices. In 2015, Uber hired Mr. Sullivan as its CSO who also took on the title of Deputy General Counsel in 2016. By that time, he was involved in Uber’s response to the FTC investigation. He made a presentation on Uber’s data security program, testified before the Commission on Uber’s data encryption program and supervised the preparation of two of Uber’s official statements to the FTC.

Then, a second breach occurred in 2016 when hackers again gained access to Uber’s private account on GitHub. The hackers again found and used AWS keys to access Uber’s AWS datastore and download the names and driver’s license numbers of 600,000 individuals. The data was unencrypted. Despite the similarities between the two breaches no one at Uber informed the FTC. Instead, Mr. Sullivan and a group of staffers tracked down the hackers and pressured them into signing a non-dislcosure agreement that purported to re-characterize the hack as “research” into “vulnerabilities” under Uber’s Bug Bounty Program. Through bug bounty programs, companies solicit and reward external security researchers’ discovery and disclosure of their system’s vulnerabilities. Uber paid the hackers $100,000 in exchange for their signatures on the NDA and an agreement to delete the downloaded data.

In the Criminal Complaint filed in the District Court in 2020, prosecutors asserted that when Mr. Sullivan learned that Uber’s systems had been hacked in November 2016 he “engaged in a scheme to withhold and conceal from the FTC both the hack itself and the fact that the data breach had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers.” He instructed his team that knowledge of the breach was to be disclosed outside the security team only on a need-to-know basis and the company was going to treat the incident under the “bug bounty” program. “However, the terms and conditions of Uber’s bug bounty program did not authorize rewarding a hacker who had accessed and obtained personally identifiable information of users and drivers for Uber-controlled systems,” the Complaint alleged. (here)

3. In the Ninth Circuit

On appeal Mr. Sullivan challenged several instructions to the jury by the trial judge, the sufficiency of the evidence and an evidentiary ruling. I will focus in my following comments on the sufficiency of the evidence argument that related to the conviction for misprision of a felony. Mr. Sullivan argued that the evidence of his alleged misprision was insufficient as a matter of law. Misprision is the crime of “having knowledge of the actual commission of a felony” and “conceal[ing]” or failing to “as soon as possible make known the same to some judge or other person in civil or military authority under the United States.” To establish misprision, the government must show that the principal committed and completed the felony alleged. In this case, that meant proving that hackers had intentionally accessed Uber’s computers without authorization and obtained information from those protected computers in violation of the Computer Fraud and Abuse Act. (here)

Writing for the unanimous three member panel, Judge Margaret McKeown described the hackers’ use of stolen credentials to access protected, private servers as a “typical CFAA violation.” In HiQ Labs, Inc. v. LinkedIn Corp., the Ninth Circuit held in 2022 that violation occurs when a person circumvents a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer. (here) “Nobody here argues that their access, and subsequent downloading of data, was authorized beforehand,” she said. Mr. Sullivan argued that Uber’s post hoc authorization, by way of the NDA, retroactively rendered the hackers’ access authorized – thereby erasing their felony. But, because the hackers had not been given authorization by the time of access, their access was unauthorized. “Their illegal conduct could not be laundered through the NDA,” Judge McKeown added.

4. Conclusion

In his piece for The Record, Mr. Greig reported that Judge Orrick said “he received 186 letters – at least one of which was signed by more than 50 chief information security officers – that not only defended Mr. Sullivan’s actions but said the case had a larger chilling effect on the entire cybersecurity industry.” Judge Orrick told Mr. Sullivan he has a duty to become an evangelist among CISOs and spread the message that transparency and disclosure is paramount in situations like this. “When you go out and talk to your friends, to CISOs, tell them that you got a break not because of what you did, not even because of who you are,” he said. “But because this was just such an unusual one-off – the first of its kind. If there are more, people should expect to spend time in custody”.