Joe Sullivan, the former chief security officer of Uber, was found guilty of criminal obstruction by a San Francisco jury for failing to notify the appropriate authorities of a cybersecurity breach in 2016.
A representative for the US justice department said on Wednesday that Sullivan, who was sacked by Uber in 2017, was found guilty on counts of obstruction of justice and willful concealment of a felony.
According to Stephanie Hinds, US attorney for the northern district of California, “Sullivan actively worked to conceal the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being apprehended.”
A concern that has only grown as reports of ransomware attacks have increased and the cost of cybersecurity insurance has gone up, the case was being closely watched as a crucial precedent regarding the responsibility of individual security staffers and executives when handling cybersecurity incidents.
The complaint involves a system breach at Uber that exposed the data of 57 million users, including drivers and passengers.
The hack happened in 2016, but Uber didn’t make it public until 2017. In several US jurisdictions, it is the law to make public disclosures of security breaches, with most legislation requiring that the notice be made “in the most expedient time and without excessive delay.”
The allegations about Uber led to numerous federal and state investigations. Uber paid $148 million (£130 million) in September 2018 to resolve charges that it took too long to notify the hacking from all 50 US states and Washington, DC. The two hackers who were involved in the year admitted to hacking Uber and extorting money from the company the next year for its “bug bounty” security research program.
In 2020, the justice department charged Sullivan with a crime. Prosecutors said at the time that he set up a payment of $100,000 (£87,964) in bitcoin to the hackers and forced them to sign nondisclosure agreements that falsely claimed they had not stolen any data.
Sullivan was also charged with obstructing information from Uber representatives who may have informed the FTC, which was inspecting the San Francisco-based company’s data security after a breach in 2014.
As part of a deal with US prosecutors in July to avoid criminal prosecution, Uber admitted responsibility for hiding the breach and consented to assist in Sullivan’s prosecution for allegedly helping to hide the hacking.
A spokesperson for the FTC said in a statement on Thursday that the court’s ruling “makes clear that big tech CEOs are not above the law and underscores that hiding serious data breaches from the FTC will not be tolerated.” David Angeli, Sullivan’s attorney, did not respond to a request for comment.