Uber’s former security chief has been found guilty of not disclosing a data breach at the ridesharing giant, in what is believed to be the first time a company executive has been charged over a hack.
A jury found Joe Sullivan, the former security lead at Uber, guilty on two counts in relation to the covering up of a breach of customer data in 2016, in a verdict that may change how businesses respond to cyber incidents.
Sullivan was found guilty of obstructing a Federal Trade Commission (FTC) investigation into Uber, and of concealing a felony from authorities, which could result in a jail term of up to 8 years.
The charges stem from a 2016 breach of Uber’s systems which impacted the personal data of more than 57 million riders and drivers.
Sullivan learned of this breach while the FTC was already investigating Uber over an earlier breach of its network in 2014, but did not inform the authorities or the public – and instead paid the hacker $US100,000 to keep quiet.
“We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” US attorney for the Northern District of California Stephanie M Hinds said.
“Where such conduct violates the federal law, it will be prosecuted.”
Ten days after Sullivan was deposed by the FTC over this earlier breach, he received an email from a hacker saying they had obtained the personal data of 600,000 Uber drivers and the personal information of 57 million Uber riders and drivers.
The hacker demanded Uber pay them at least $US100,000 in exchange for the stolen information.
Sullivan then referred the hacker to Uber’s bug bounty program, which pays white hat hackers a maximum of $US10,000 if they disclose a vulnerability in the company’s systems.
Despite this cap, the court heard that Sullivan’s security team paid this hacker the $US100,000 they asked for, and also made them sign a non-disclosure agreement.
Sullivan did not inform the FTC about this incident or the general public.
Prosecutors alleged this was in part because telling the FTC about the breach would extend its investigation and hurt his reputation.
Many US states have laws requiring companies to disclose breaches to authorities if personal data of a certain number of people has been impacted.
US assistant attorney Benjamin Kingsley said Sullivan didn’t even reveal the breach to Uber’s general counsel.
“He took many steps to keep the FTC and others from finding out about it,” Kingsley said. “This was a deliberate withholding and concealing of information.”
Sullivan did inform Uber lawyer Craig Clark, who received immunity in exchange for testifying against Sullivan.
He said that Sullivan told his security team at Uber to keep the breach secret, and that the non-disclosure agreement falsely claimed that the hackers were conducting white hat research, rather than attempting to extort the company.
The hack was eventually publicly disclosed in 2017 after Dara Khosrowshahi took over as CEO of Uber.
Khosrowshahi also fired Sullivan and Clark after learning about the cover up of the data breach.
Sullivan’s lawyer argued that he had just been doing his job.
‘While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case,” his lawyer said.
“Mr Sullivan’s sole focus – in this incident and throughout his distinguished career – has been ensuring the safety of people’s personal data on the internet.”
The charging of the Uber executive, believed to be the first of its kind, may change how tech firms handle data breaches in the future, Robert Strauss Center for International Security and Law scholar in residence Chinmayi Sharma told the New York Times.
“The way responsibilities are divided up is going to be impacted by this,” Sharma said.
“What’s documented is going to be impacted by this. The way bug bounty programs are designed is going to be impacted by this.”
Sullivan is currently free on bond and will be sentenced at a later date.
Uber recently experienced another significant cyber breach, with an 18-year-old reportedly gaining access to the company’s internal systems and databases after tricking an employee.
Uber was forced to take a number of its internal communications and engineering systems briefly offline following the attack, with the tech giant also contacting law enforcement.