Uber’s former head of safety has been convicted of protecting up a 2016 information breach on the rideshare large, hiding particulars from US regulators and paying off a pair of hackers in return for his or her discretion.
The trial, intently watched in cyber safety circles, is believed to be the primary felony prosecution of an organization govt over the dealing with of an information breach.
Joe Sullivan, who left Uber in 2017, was discovered responsible on Tuesday by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a unique cyber safety lapse that had occurred two years earlier.
Jurors additionally convicted Sullivan of a second depend associated to having data of, however failing to report, the 2016 breach to the suitable authorities authorities.
The incident finally grew to become public in 2017 when Dara Khosrowshahi, who had simply taken over as chief govt, disclosed particulars of the assault.
Prosecutors mentioned Sullivan had taken steps to ensure information compromised within the assault wouldn’t be revealed. According to courtroom paperwork, two hackers approached Sullivan’s crew to inform Uber of a safety flaw that uncovered private data on virtually 60mn drivers and riders on the platform.
The hackers, one among whom testified in the course of the trial, turned down the corporate’s provide of $10,000 — the utmost payout beneath Uber’s “bug bounty” coverage designed to encourage non-public disclosure of safety flaws — and threatened to launch the info if a bigger charge was not paid.
The events negotiated a $100,000 cost, which required signing a non-disclosure settlement and a dedication to delete any consumer information that had been obtained. The two hackers later pleaded responsible to the assault.
Lawyers for Sullivan defended his actions in courtroom, saying he had acted to guard customers, and had notified his superiors — together with then-CEO Travis Kalanick — of the info breach.
The outcome will ship shockwaves by way of the cyber safety business, elevating questions over who ought to take accountability when damaging breaches happen.
“This verdict is misplaced,” mentioned Katie Moussouris, founder and chief govt of Luta Security, which specialises in managing “bug bounty” programmes for giant organisations. “The role of chief security officer cannot become chief sacrificial officer if we want those roles to be effective.”
Uber didn’t reply to requests for remark.
Sullivan, a former authorities prosecutor specialising in cyber crime, has additionally beforehand labored at Facebook and Cloudflare.
A date for his sentencing has not but been set. He might resist eight years in jail.