Joseph Sullivan, who used to serve as Uber’s security chief, was convicted of federal charges for hiding a 2016 data breach from authorities. According to The New York Times, a jury in a San Francisco federal court has found Sullivan guilty of obstructing the FTC’s ongoing investigation into Uber at the time for another breach that occurred in 2014. He was also found guilty of actively hiding a felony from authorities. Sullivan’s case, believed to be the first time an executive has faced criminal charges over a hack, revolves around how the former executive dealt with the bad actors who infiltrated Uber’s Amazon server and demanded $100,000 from the company.
The hackers got in touch with Uber shortly after Sullivan sat for a deposition with the FTC for its investigation of the 2014 cybersecurity incident. They told him they found a security vulnerability that allowed them to download the personal data of 600,000 drivers and additional information linked to 57 million drivers and passengers. As The Washington Post reports, it was revealed later on that the hackers found a digital key that they used to get into Uber’s Amazon account. There, they found an unencrypted backup collection of personal data on passengers and drivers.
Sullivan pointed them to the company’s bug bounty program, which had a max payout of $10,000. The hackers wanted at least $100,000, however, and threatened to release the data they’d stolen if Uber didn’t pay up. The former security chief paid them the amount they demanded in bitcoin and made it appear as if they’d been paid under the bug bounty program — an action reportedly sanction by then Uber chief executive Travis Kalanick. He also tracked them down and made them sign nondisclosure agreements.
The former executive’s camp argued that Sullivan felt Uber’s user data was protected after the hackers signed an NDA. “Mr. Sullivan believed that their customers’ data was safe and that this was not some incident that needed to be reported. There was no coverup and there was no obstruction,” his lawyer David Angeli said. But prosecutors disagreed and viewed his use of NDAs as a way to cover up the incident. Further, they stressed that the incident shouldn’t have been qualified for a payout under the bug bounty program, which is meant to reward friendly security researchers, when the bad actors threatened to release users’ personal information if they didn’t get paid the amount they wanted.
In the end, the jury agreed with the prosecutors that Sullivan should have notified the FTC about the data breach. It wasn’t until Dara Khosrowshahi took over as CEO that the FTC was informed of the event. A sentence hasn’t been handed down yet, but Sullivan now faces five years in prison for obstruction and up to three more years for failing to report a felony.