Former chief security officer of Uber Technologies Inc. Joseph Sullivan was convicted guilty of criminal obstruction charges after failing to n
otify federal authorities about a cyber intrusion in 2016 by a San Francisco jury.
The case was extensively followed since it was an unusual instance of a senior cybersecurity officer being prosecuted for failing to report a hacking attack.
Following a three-week trial, the verdict was announced in U.S. federal court on Wednesday. On the obstruction allegation, Mr. Sullivan now faces a five-year jail term, and on a second charge of failing to disclose a felony, he may spend up to three years behind bars.
The incident brought attention to the sometimes murky waters that cybersecurity teams must travel.
When a hacker demanding a $100,000 payment gained access to 57 million Uber customer records in 2016, Mr. Sullivan’s attorneys claimed that their client had eventually protected those records. Mr. Sullivan’s team eventually handed out the money as a “bug bounty.”
Authorities asserted that Mr. Sullivan made the payment in an effort to conceal the incident and that he took steps to prevent it from being reported to the Federal Trade Commission, which was at the time looking into Uber’s cybersecurity procedures following a prior breach. Three years after being let go by Uber in 2017, Mr. Sullivan was charged by federal authorities.
Uber compensated the hackers the following month using the virtual currency bitcoin, eventually discovered who they really were, and required them to sign nondisclosure agreements.
According to Mr. Sullivan’s team, the data was protected because the hackers were identified and bound by an NDA, and the team classed the occurrence as a bug bounty incident rather than a data breach, his attorney David Angeli said during closing arguments on Friday.
The security team at Uber and According to Mr. Angeli, “Mr. Sullivan thought that his clients’ data was secure and that this was not an event that needed to be disclosed.” “There was neither a cover-up nor any obstruction.”
Uber, however, who was already being investigated for improperly handling user data in 2014, failed to notify the FTC of what had occurred.
Prosecutors also claim that Sullivan failed to inform important members of the defence team of the incident. Prosecutors claim that he allegedly took action to stop word getting out within the business that hackers had acquired Uber’s data.
According to testimony given at the trial, Travis Kalanick, the CEO of Uber at the time, was aware of the occurrence. Under pressure from investors, Mr. Kalanick resigned and was succeeded as CEO of Uber by Dara Khosrowshahi. Mr. Khosrowshahi resolved to investigate the 2016 event soon after taking over, according to testimony he gave during the trial.
Ultimately, he discovered that the hacker had been paid substantially more than expected and that a sizable amount of data had been acquired from the hacker.
Mr. Sullivan was let go by Mr. Khosrowshahi in November 2017. He remarked, “I felt I couldn’t trust the man any longer.”
According to Scott Shackelford, a professor of business law and ethics at Indiana University, it is exceedingly uncommon for CEOs to face criminal charges after a hack, which is why the case caught the attention of cybersecurity experts. “Senior leaders even being ousted in the wake of a breach wasn’t that common not so long ago,” he said.
According to Mr. Shackelford, Washington has recently stepped up its efforts to regulate the technology sector. He remarked, “This might be the start of many criminal trials.”