Uber’s former head of security has been convicted of covering up a 2016 data breach at the rideshare giant, hiding details from US regulators and paying off a pair of hackers in return for their discretion.
The trial, closely watched in cyber security circles, is believed to be the first criminal prosecution of a company executive over the handling of a data breach.
Joe Sullivan, who was fired in 2017 over the incident, was found guilty on Tuesday by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a different cyber security lapse that had occurred two years earlier.
Jurors also convicted Sullivan of a second count related to having knowledge of but failing to report the 2016 breach to the appropriate government authorities.
The incident eventually became public in 2017 when Dara Khosrowshahi, who had just taken over as chief executive, disclosed details of the attack.
Prosecutors said Sullivan had taken steps to make sure data compromised in the attack would not be revealed. According to court documents, two hackers approached Sullivan’s team to notify Uber of a security flaw that exposed the personal information of almost 60mn drivers and riders on the platform.
The hackers, one of whom testified during the trial, turned down the company’s offer of $10,000 — the maximum payout under Uber’s “bug bounty” policy designed to encourage private disclosure of security flaws — and threatened to release the data if a larger fee was not paid.
The parties negotiated a $100,000 payment, which required signing a non-disclosure agreement and a commitment to delete any user data that had been obtained. The two hackers later pleaded guilty to the attack.
Lawyers for Sullivan defended his actions in court, saying he had acted to protect users and had notified his superiors — including then-CEO Travis Kalanick — of the data breach.
The result will send shockwaves through the cyber security industry, raising questions over who should take responsibility when damaging breaches occur.
“This verdict is misplaced,” said Katie Moussouris, founder and chief executive of Luta Security, which specialises in managing “bug bounty” programmes for large organisations. “The role of chief security officer cannot become chief sacrificial officer if we want those roles to be effective.”
Uber did not respond to requests for comment.
“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” said Stephanie Hinds, US attorney for the northern district of California, in a statement.
“We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” she added.
Sullivan, a former government prosecutor specialising in cyber crime, has previously worked at Facebook and Cloudflare.
A date for his sentencing has not yet been set. He could face up to eight years in prison.