Uber’s former chief security officer was convicted Wednesday of trying to cover up a 2016 data breach in which hackers accessed tens of millions of ride-sharing service customer records.
A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing knowledge that a federal crime had been committed, federal prosecutors said.
Sullivan remains out on bail pending sentencing and could face a total of eight years in prison on the two counts when he is sentenced, prosecutors said.
“Technology companies in the Northern District of California collect and store vast amounts of user data,” US Attorney Stephanie M. Hinds said in a statement. “We will not tolerate the withholding of important information from the public by corporate executives more interested in protecting their reputations and that of their employers than protecting users.” It was believed to be the first criminal prosecution of a company executive for a data breach.
An attorney for Sullivan, David Angeli, disagreed with the verdict.
“Mister. Sullivan’s sole focus, in this incident and throughout his distinguished career, has been to ensure the security of people’s personal data on the Internet,” Angeli told the New York Times .
An email to Uber seeking comment on the conviction was not immediately returned.
Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, hackers emailed Sullivan, and employees quickly confirmed that they had stolen records from approximately 57 million riders and also 600,000 driver’s license numbers. prosecutors said.
After learning of the breach, Sullivan began a plan to hide it from the public and from the Federal Trade Commission, which had been investigating a minor attack from 2014, authorities said.
According to the US attorney’s office, Sullivan told subordinates that “the story outside the security group would be that this investigation doesn’t exist” and agreed to pay the hackers $100,000 in bitcoin in exchange for them signing. non-disclosure agreements promising not to reveal the trick. He also did not mention the violation to Uber lawyers who participated in the FTC investigation, prosecutors said.
“Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies, as well as Uber,” the US attorney’s office said.
Uber’s new management began investigating the leak in the fall of 2017. Despite Sullivan lying to the new CEO and others, the truth was discovered and the leak became public, prosecutors said.
Sullivan was fired along with Craig Clark, an Uber attorney who he had told about the rape. Prosecutors gave Clark immunity and he testified against Sullivan.
No other Uber executives were charged in the case.
The hackers pleaded guilty in 2019 to computer fraud conspiracy charges and are awaiting sentencing.
Sullivan was found guilty of obstruction of Federal Trade Commission proceedings and wrongful concealment of a felony, which means concealing knowledge of a felony from authorities.
Meanwhile, some experts have questioned how much cybersecurity at Uber has improved since the breach.
The company announced last month that all of its services were operational after what security professionals called a major data breach, claiming there was no evidence the hacker had access to sensitive user data.
The lone hacker apparently gained access by posing as a colleague, tricking an Uber employee into handing over his credentials. Screenshots the hacker shared with security researchers indicate that they gained full access to cloud-based systems where Uber stores sensitive customer and financial data.
It is not known how much data the hacker stole or how long he was inside the Uber network. There was no indication that they destroyed the data.