Uber’s former security chief was convicted for covering up a 2016 data breach at the ride-sharing giant, hiding details from US regulators and paying two hackers in exchange for their discretion.
The trial, which is being closely watched in cybersecurity circles, is believed to be the first criminal prosecution of a company executive for handling a data breach.
Joe Sullivan, who was fired in 2017 over the incident, was found guilty Tuesday by a jury in San Francisco of obstructing a Federal Trade Commission investigation. At the time of the breach in 2016, regulators had been investigating the car booking service for another cybersecurity vulnerability that had surfaced two years earlier.
The jury also convicted Sullivan on a second count of knowing about the 2016 violation but failing to report it to appropriate government authorities.
The incident finally became public in 2017 when Dara Khosrowshahi, who had just taken over as Chief Executive, revealed details of the attack.
Prosecutors said Sullivan took steps to ensure the data compromised in the attack would not be disclosed. According to court documents, two hackers contacted Sullivan’s team to tell Uber about a vulnerability that exposed the personal information of nearly 60 million drivers and passengers on the platform.
The hackers, one of whom testified at the trial, turned down the company’s offer of $10,000 — the maximum payout under Uber’s “bug bounty” policy designed to encourage private disclosure of security vulnerabilities — and threatened to release the data if a higher fee would not be paid.
The parties negotiated a $100,000 payment, which required signing a non-disclosure agreement and agreeing to delete all user data obtained. The two hackers later pleaded guilty to the attack.
Lawyers for Sullivan defended his actions in court, saying he acted to protect users and notified his superiors — including then-CEO Travis Kalanick — of the data breach.
The result will send shockwaves through the cybersecurity industry, raising questions about who should take responsibility when malicious security breaches occur.
“This ruling is misplaced,” said Katie Moussouris, founder and chief executive officer of Luta Security, which specializes in managing “bug bounty” programs for large organizations. “The chief security officer role cannot become the chief victim officer if we want those roles to be effective.”
Uber did not respond to requests for comment.
“Sullivan worked diligently to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Stephanie Hinds, US Attorney for the Northern District of California, said in a statement.
“We will not tolerate the hiding of important information from the public by executives of companies who are more interested in protecting their reputation and that of their employers than protecting users,” she added.
Sullivan, a former prosecutor specializing in cybercrime, previously worked at Facebook and Cloudflare.
A date for his sentencing has not yet been set. He faces up to eight years in prison.
https://www.ft.com/content/051af6a1-41d1-4a6c-9e5a-d23d46b2a9c9 Former Uber security chief convicted of covering up data breaches