Oct. 6 (UPI) — Uber Technologies Inc.’s former security chief has been convicted of criminal obstruction for failing to report a massive data breach to federal authorities six years ago.
A jury in San Francisco federal court found Joseph Sullivan guilty Wednesday following a three-week trial that focused on how cybersecurity teams respond to hacking incidents, as well as Sullivan’s decision not to disclose the ride share giant’s security lapse in 2016.
“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case,” Sullivan’s lawyer David Angeli said. “Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the Internet.”
Sullivan, who was convicted of both charges against him, faces five years in prison for obstructing a government investigation and up to three years in prison for concealing the breach that compromised the personal data of 50 million customers and 7 million drivers.
Sullivan’s lawyers argued that he actually protected the millions of customer and driver records after they were accessed by an anonymous hacker who demanded $100,000. The money was paid by Sullivan’s team as a “bug bounty” to prevent the hackers from disclosing they had stolen the data.
Sullivan claimed other executives at Uber knew about the hack, but chose not to tell regulators for more than a year.
Prosecutors argued the “bug bounty” payment allowed Sullivan to cover up the incident and avoid reporting it to the Federal Trade Commission, which was already investigating Uber’s security practices over an earlier breach in 2014.
“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Stephanie Hinds, U.S. attorney for the Northern District of California, said in a statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”
Uber fired Sullivan in 2017. He was charged by federal authorities three years later. Uber’s failure to report the 2016 data breach cost the ride share $148 million in a settlement paid out to all 50 states.