Uber’s former head of security has been convicted of covering up a 2016 data breach at the rideshare big, hiding aspects from US regulators and spending off a pair of hackers in return for their discretion.
The demo, closely watched in cyber security circles, is thought to be the initial criminal prosecution of a organization government in excess of the managing of a facts breach.
Joe Sullivan, who was fired in 2017 around the incident, was uncovered responsible on Tuesday by a San Francisco jury of obstructing an investigation by the Federal Trade Fee. At the time of the 2016 breach, the regulator experienced been investigating the auto-reserving company over a distinct cyber security lapse that experienced happened two many years previously.
Jurors also convicted Sullivan of a next rely connected to acquiring expertise of but failing to report the 2016 breach to the suitable government authorities.
The incident inevitably turned general public in 2017 when Dara Khosrowshahi, who had just taken about as main govt, disclosed particulars of the attack.
Prosecutors mentioned Sullivan experienced taken methods to make guaranteed info compromised in the attack would not be exposed. In accordance to court docket files, two hackers approached Sullivan’s workforce to notify Uber of a security flaw that exposed the private information and facts of almost 60mn drivers and riders on the platform.
The hackers, one of whom testified all through the trial, turned down the company’s present of $10,000 — the highest payout beneath Uber’s “bug bounty” plan made to really encourage private disclosure of stability flaws — and threatened to launch the facts if a larger price was not paid.
The events negotiated a $100,000 payment, which expected signing a non-disclosure agreement and a motivation to delete any consumer info that experienced been acquired. The two hackers later pleaded responsible to the assault.
Legal professionals for Sullivan defended his steps in court, saying he experienced acted to guard customers and had notified his superiors — like then-CEO Travis Kalanick — of the data breach.
The final result will send shockwaves as a result of the cyber safety marketplace, increasing thoughts in excess of who ought to consider accountability when detrimental breaches take place.
“This verdict is misplaced,” said Katie Moussouris, founder and main govt of Luta Stability, which specialises in controlling “bug bounty” programmes for large organisations. “The role of chief stability officer cannot turn out to be chief sacrificial officer if we want those roles to be productive.”
Uber did not react to requests for comment.
“Sullivan affirmatively labored to conceal the details breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” mentioned Stephanie Hinds, US legal professional for the northern district of California, in a statement.
“We will not tolerate concealment of vital data from the public by company executives extra intrigued in protecting their popularity and that of their employers than in safeguarding buyers,” she included.
Sullivan, a former authorities prosecutor specialising in cyber crime, has previously labored at Fb and Cloudflare.
A day for his sentencing has not nonetheless been set. He could experience up to 8 several years in prison.