Topline
A former Uber executive was found guilty Wednesday on federal obstruction of justice charges for failing to report a 2016 hack at the rideshare company to the Federal Trade Commission, in what is believed to be the first time an executive has faced a criminal trial over a data breach.
Key Facts
Joe Sullivan, the former security chief for Uber who was fired by the company in 2017, was convicted in federal court in San Francisco on one count of obstruction of justice and one count of misprision, or concealing a felony.
The trial lasted for three weeks and concluded Friday, and it took the jury roughly 19 hours to reach a verdict, according to the New York Times.
A sentencing date has not yet been set, but Sullivan faces a maximum of five years in prison for the obstruction of justice charge, and up to three years for failing to report the crime, according to the Justice Department.
Sullivan previously worked at Facebook and Cloudflare, and once served as a cybercrimes prosecutor for the San Francisco U.S. attorney’s office, which prosecuted the case against him.
David Angeli, a lawyer for Sullivan, told the Times they “disagree” with the verdict and that his client’s “sole focus—in this incident and throughout his distinguished career—has been ensuring the safety of people’s personal data on the internet.”
Key Background
In 2016, when the FTC was inv
estigating Uber over a previous hacking incident, Sullivan received an email from anonymous hackers who said they had discovered a security vulnerability involving about 57 million Uber riders and 60,000 drivers, prosecutors said. The hackers demanded $100,000, or they would release the data. The company paid the hackers, and when they eventually discovered their identities, had them sign non-disclosure agreements. The two hackers pleaded guilty to the breach in 2019, and one of them testified for the prosecution during Sullivan’s trial, according to the Washington Post. Benjamin Kingsley, an assistant U.S. attorney, argued Sullivan participated in “a deliberate withholding and concealing of information” to keep the FTC from finding out about the new hack, which would have extended the group’s ongoing investigation into Uber, the Times reported. The hack wasn’t reported to the FTC until CEO Dara Khosrowshahi was hired in 2017. However, in his closing arguments, Angeli said Sullivan believed the incident was a “bug bounty”—a payment deal that can be offered to those who report security issues—and that there was no cover up, the Journal reported. “Mr. Sullivan believed that their customers’ data was safe and that this was not some incident that needed to be reported,” he said. Sullivan was charged by federal prosecutors in 2020.
Further Reading
Former Uber security chief convicted of covering up 2016 data breach (The Washington Post)
Former Uber Security Chief Found Guilty of Hiding Hack From Authorities (The New York Times)
Former Uber Security Chief Found Guilty of Obstructing FTC Probe (The Wall Street Journal)
Source: https://www.forbes.com/sites/marisadellatto/2022/10/05/former-uber-security-chief-convicted-of-covering-up-data-breach/