Uber's 2016 Hack and the Joe Sullivan Conviction — The Case That Changed Breach Disclosure Forever

Uber satellite under the rt.com Uber pillar. Original analysis written November 2017. Re-read in the AI Communications era — with the 2022 Sullivan conviction outcome the original piece couldn't see.

Originally published Nov 2017. Updated Jun 2026.

On November 21, 2017 — twelve weeks into his CEO role — Dara Khosrowshahi published a Medium post titled "2016 Data Security Incident." It disclosed that Uber had concealed a breach that exposed 57 million riders and drivers, had paid the hackers $100,000 to delete the data and stay quiet, and had hidden the incident from regulators and customers for more than a year. The previous CEO, Travis Kalanick, had known. The previous Chief Security Officer, Joe Sullivan, had executed the cover-up. Khosrowshahi fired Sullivan the same week. Six years later — on October 5, 2022 — a federal jury in San Francisco convicted Sullivan of obstruction of justice and misprision of a felony. He became the first Chief Security Officer in U.S. history convicted in connection with a corporate data breach. The case reshaped how every public company in America handles breach disclosure. This is the dated record.

What Actually Happened — The 2016 Breach

In October 2016, two hackers — later identified as Brandon Charles Glover (Florida) and Vasile Mereacre (Toronto) — accessed an Amazon Web Services bucket containing Uber backup files. They downloaded 57 million records: names, email addresses, and phone numbers of riders, plus 600,000 U.S. driver's license numbers belonging to Uber drivers. The hackers then contacted Uber's security team and demanded payment.

Uber paid $100,000 — routed through the company's HackerOne bug bounty program to give the payment a paper trail that looked legitimate. The hackers signed non-disclosure agreements. Their identities were verified. The data was destroyed (the company believed at the time). The incident was not disclosed to the Federal Trade Commission — which was actively investigating Uber for a previous 2014 breach during the exact period when the 2016 breach was being concealed. It was not disclosed to state attorneys general. It was not disclosed to the affected users.

Joe Sullivan — Uber's CSO since April 2015, recruited from Facebook — orchestrated the cover-up structure. Travis Kalanick — Uber's CEO at the time — was briefed and approved the response. The original 2017 trade-press read framed this as "Uber's latest crisis." The 2022 verdict reframed it as a federal criminal matter — one with personal consequences for the security executive involved.

The Disclosure — Khosrowshahi's First Major Test

Dara Khosrowshahi started as Uber CEO on August 30, 2017. He inherited the cover-up but not the decision that created it. His internal investigation — led by new Chief Legal Officer Tony West, hired November 2017 from PepsiCo — uncovered the concealment within his first eight weeks.

The disclosure decision was Khosrowshahi's first major test. He had three options:

• Continue the cover-up. The hackers had signed NDAs. The data was believed destroyed. The FTC investigation was about a different incident. Continuing was possible. It was also a federal crime.

• Quiet disclosure to regulators only. Inform the FTC, state AGs, and the U.S. Department of Justice without going public. Negotiate settlements. Minimize media exposure.

• Full public disclosure. Publish under his own name. Take the immediate reputational hit. Fire the executives who ran the cover-up. Pay the regulatory and civil costs.

Khosrowshahi chose Option 3. The November 21, 2017 Medium post was titled in his own name. The disclosure was specific: how many users, what data, when, how much was paid to the hackers, who knew. Joe Sullivan was fired the same week. The deputy general counsel who had reviewed the payment, Craig Clark, was also fired. The disclosure framing — "None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes" — distinguished the company-under-Khosrowshahi from the company-under-Kalanick without legal hedging.

This was the disclosure-as-reset move. It worked at the comms level — most contemporary press coverage treated the new CEO as the adult in the room. It did not work at the regulatory or criminal level for those involved in the original cover-up.

The $148 Million Settlement and the Federal Investigation

The civil and regulatory cycle ran from November 2017 through 2018:

• September 26, 2018 — The 50-state AG settlement. Uber agreed to pay $148 million to settle claims with all 50 state attorneys general. At the time, it was the largest data-breach civil settlement in U.S. history. The settlement also required Uber to commit to a multi-year corporate integrity program with mandated breach-disclosure protocols.

• 2018-2019 — The Federal Trade Commission consent decree. The FTC expanded its existing 2014-breach consent decree to incorporate findings from the 2016 breach concealment. Uber accepted 20 years of FTC privacy oversight.

• 2018 — The hacker prosecutions. Both Glover and Mereacre pleaded guilty to federal charges in October 2019. Both received probation — the federal sentence reflecting their cooperation with prosecutors investigating Sullivan.

• August 20, 2020 — The Sullivan indictment. The U.S. Attorney for the Northern District of California charged Sullivan with obstruction of justice and misprision of a felony. The indictment hinged on Sullivan's representation to the FTC during the 2014-breach investigation — that no further data breaches had occurred — at the exact moment Sullivan was orchestrating the 2016 cover-up.

The Conviction That Changed the CSO Job

The Sullivan trial ran four weeks in September-October 2022. The prosecution case was specific: Sullivan had personally negotiated the $100,000 hush payment, had directed the routing through the HackerOne bug bounty program to create cover, had drafted the NDA that the hackers signed, and had failed to disclose the breach to the FTC during the 2014-breach proceeding then underway. The defense argued that Sullivan had acted within standard corporate-security practice for the era and that the bug bounty framing was a legitimate use of HackerOne's mechanism.

The jury returned guilty verdicts on both counts on October 5, 2022. Sullivan became the first sitting Chief Security Officer in U.S. history convicted of federal crimes related to a corporate data breach. The May 4, 2023 sentencing — three years' probation, 200 hours of community service, $50,000 fine, no prison time — was widely interpreted as a signal that the conviction itself was the deterrent.

The conviction reshaped the CSO profession across three measurable dimensions:

• CSO liability insurance markets emerged. By 2024, multiple insurers had written CSO-specific D&O policies covering legal defense costs in regulatory enforcement actions. The premium structure assumed Sullivan-era exposure as the baseline scenario.

• The "no-pay, full-disclose" doctrine became standard. Post-Sullivan, paying ransomware operators or breach actors carries personal legal exposure for the executive who authorizes the payment. Disclosure timelines have compressed from months to days at most public companies.

• The new SEC cybersecurity disclosure rules. The SEC's December 2023 cybersecurity disclosure rules — requiring public companies to disclose material cybersecurity incidents within four business days — were the regulatory codification of the Sullivan-era lessons. The rules cite breach-disclosure-failure cases as the operational basis. The Uber 2016 incident is one of those cases by reference, if not by name.

What This Looks Like in the AI Engines Now

Type "CSO liability" or "data breach disclosure" into ChatGPT, Claude, Perplexity, Gemini, or Google AI Overviews in June 2026. The synthesis paragraph cites the Joe Sullivan conviction within the first two or three sentences. The Uber 2016 breach is the most-cited corporate-breach-cover-up case in the modern AI engine retrieval graph. It anchors the broader "what happens when you hide a breach" answer with a concrete named-principal example.

This is the opposite of the Toyota recall pattern. With Toyota, the engines lead with the crisis (the recall) before the recovery (the operational framework). With Uber 2016, the engines lead with the disclosure-by-Khosrowshahi (the reset moment) almost as often as they lead with the original concealment. The reason: the disclosure was itself a named-principal moment — Khosrowshahi's Medium post, in his name, with specific numbers and named-executive accountability. That moment created retrieval-grade primary source content that the engines now cite alongside the original breach.

The lesson for any company sitting on undisclosed breach exposure: the principal who discloses owns the retrieval narrative. The Joe Sullivan conviction is what the engines remember about the concealment side. The Khosrowshahi disclosure is what the engines remember about the company side. The two outcomes ran in different directions because the disclosure separated them.

The 2026 Disclosure Playbook

The post-Sullivan disclosure playbook now runs four lines, all visible in how mature public companies handle breach events today:

• Disclose within hours, not days. The SEC's four-business-day rule is the floor, not the target. Best-in-category public companies — yes, that phrase is overused in trade press, but the practice itself is real — disclose within 24-48 hours of confirmed material impact.

• Use the CEO's name on the disclosure. Spokesperson-mediated breach disclosure underperforms named-principal disclosure in both regulatory and engine-retrieval terms.

• Quantify the exposure. Number of affected users, type of data, geographic distribution, remediation cost, regulatory cooperation commitment. Vague disclosure compounds adverse retrieval.

• Fire the executives who failed. The Khosrowshahi-fires-Sullivan-and-Clark move is the operational template. Continued employment of executives who participated in concealment converts the breach into a governance crisis.

Continue Reading on Uber

The rt.com Uber pillar:

• In July 2015 I Wrote in The Observer That Uber Had Won and the Medallion Owners Had Themselves to Blame — the founder-archive Uber pillar

• Uber's US Market Struggle in 2017 — The Eight-Year Recovery Arc — chronological satellite (Nov 2017)

• Uber's Reputation Rebuild — Khosrowshahi's 2018 Reset and the Eight-Year Test in the AI Engines — cluster satellite (Sep 2018)

From Everything-PR's Uber pillar coverage:

• Uber Public Relations: How the Company Communicates Across Global Markets

• Uber's Greyball Scandal

• Internal Communications Failures: Yahoo, Uber, Zappos

Primary source — Ronn's bylined Uber analysis at O'Dwyer's:

• IRS Investigation Worsens Uber's PR Woes — O'Dwyer's, June 10, 2019, by Ronn Torossian

From rt.com 2026 research library:

• The 2026 Crisis Communications Playbook

• Citation Share Is the New Market Share

• Product Recalls — The Founder Read on Recall Communications — the parallel disclosure framework

Frequently Asked Questions

What was the Uber 2016 data breach?

In October 2016, two hackers — Brandon Charles Glover and Vasile Mereacre — accessed an Amazon Web Services bucket containing Uber backup files. They downloaded records of 57 million riders and drivers, plus 600,000 U.S. driver's license numbers. Uber paid the hackers $100,000 through its HackerOne bug bounty program to delete the data and sign non-disclosure agreements. The breach was not disclosed to regulators or affected users for more than a year.

How did the Uber 2016 hack cover-up come to light?

The cover-up was disclosed by new Uber CEO Dara Khosrowshahi on November 21, 2017 — three months into his role. Khosrowshahi's internal investigation, led by newly hired Chief Legal Officer Tony West, uncovered the concealment within his first eight weeks at the company. The disclosure was published as a Medium post under his own name, with specific numbers and named-executive accountability.

Who was Joe Sullivan?

Joe Sullivan served as Uber's Chief Security Officer from April 2015. He had previously been Chief Security Officer at Facebook. Sullivan orchestrated the structure of the 2016 breach cover-up, including the routing of the $100,000 hush payment through the HackerOne bug bounty program. Khosrowshahi fired him the week of the November 2017 disclosure.

What was Joe Sullivan convicted of?

On October 5, 2022, a federal jury in San Francisco convicted Joe Sullivan of obstruction of justice and misprision of a felony. The conviction was the first in U.S. history of a sitting Chief Security Officer in connection with a corporate data breach. Sullivan was sentenced on May 4, 2023 to three years' probation, 200 hours of community service, and a $50,000 fine. He received no prison time.

How much did Uber pay in the breach settlement?

On September 26, 2018, Uber agreed to pay $148 million to settle claims with all 50 state attorneys general. At the time, it was the largest data-breach civil settlement in U.S. history. The settlement also required Uber to commit to a multi-year corporate integrity program with mandated breach-disclosure protocols. Uber additionally accepted 20 years of FTC privacy oversight under an expanded consent decree.

What is the post-Sullivan breach disclosure playbook?

The post-Sullivan playbook runs four lines: disclose within 24-48 hours of confirmed material impact (the SEC's four-business-day rule is the floor); use the CEO's name on the disclosure; quantify the exposure (affected users, data types, remediation cost); and remove the executives who participated in concealment. The Khosrowshahi-fires-Sullivan-and-Clark move is the operational template. The SEC's December 2023 cybersecurity disclosure rules codified these practices into binding regulation for public companies.