Joe Sullivan failed to report a cybersecurity incident to authorities in 2016
A San Francisco jury has found Uber’s former chief security officer, Joe Sullivan, guilty of criminal obstruction for failing to report a 2016 cybersecurity incident to authorities.
Sullivan, who was fired from Uber in 2017, was found guilty on counts of obstruction of justice and deliberate concealment of felony, a spokesperson from the US justice department confirmed on Wednesday.
“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught,” said Stephanie Hinds, US attorney for the northern district of California.
The case was being watched as an important precedent regarding the culpability of individual security staffers and executives when handling cybersecurity incidents, a concern that has only grown at a time when reports of ransomware attacks have surged and cybersecurity insurance premiums have risen.
The case pertains to a breach of Uber’s systems that affected data of 57 million passengers and drivers.
The breach took place in 2016, but Uber only disclosed it publicly a year later. Public disclosures of security breaches are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.
Uber’s revelations sparked several federal and state inquiries. In September 2018, Uber paid $148m (£130m) to settle claims by all 50 US states and Washington DC that it was too slow to disclose the hacking. The two hackers involved in the year pleaded guilty to hacking Uber and then extorting Uber’s “bug bounty” security research program the following year.
The justice department filed criminal charges against Sullivan in 2020. At the time, prosecutors alleged he arranged to pay the hackers $100,000 (£87,964) in bitcoin and had them sign nondisclosure agreements that falsely stated they had not stolen data.
Sullivan was also accused of withholding information from Uber officials who could have disclosed the breach to the FTC, which had been evaluating the San Francisco-based company’s data security following a 2014 breach.
In July, Uber accepted responsibility for covering up the breach and agreed to cooperate with the prosecution of Sullivan over his alleged role in concealing the hacking, as part of a settlement with US prosecutors to avoid criminal charges.
An FTC spokesperson said in a statement on Thursday: “The court’s decision affirms that hiding serious breaches of data from the FTC will not be tolerated and makes clear that big tech executives are not above the law.” Sullivan’s lawyer David Angeli did not respond to a request for comment.