A federal jury has convicted Uber’s former security chief of charges related to a 2016 cover-up involving the ride-share giant, according to journalists present in the courtroom.
Joe Sullivan, who was found guilty of one count of obstruction and one count of misprision of a felony on Wednesday, helped to conceal a massive 2016 data breach from authorities, while also obstructing a Federal Trade Commission investigation.
Sullivan’s troubles began in the fall of 2016, when two cybercriminals managed to compromise an Amazon data storage server operated by the company and stole personally identifying information on some 600,000 Uber drivers, as well as approximately 57 million users of the ride-share app. The hackers then contacted Sullivan via email in an attempt to extort the company for $100,000.
To complicate matters, Uber was being investigated by the FTC for a previous hacking incident at the time of the breach. Sullivan secretly paid off the hackers via the company’s bug bounty program and then later misled federal investigators about what had occurred.
Under Sullivan’s watch, the public was never notified about the incident, despite the fact that the criminals had stolen users’ names, phone numbers, and email addresses. Uber drivers’ license numbers were also stolen.
Federal prosecutors alleged that Sullivan subsequently attempted to “conceal, deflect, and mislead the Federal Trade Commission about the breach.” Sullivan’s charges stem from the cover-up, not the payoff—a practice that has become increasingly common in recent years.
A former federal prosecutor turned corporate cybersecurity guru, Sullivan took over security at Uber later working a similar stint at Facebook and other high-level positions in Silicon Valley. Sullivan helmed operations at the global ride-share firm until November of 2017, when Uber’s new security chief, Dara Khosrowshahi, took over. After Khosrowshahi discovered what had happened, Sullivan was subsequently firedalong with other members of the security team.
The hackers behind the episode were ultimately arrested and charged in connection with the incidents. They pled guilty to related crimes in 2019.
The case has decidedly divided those in the cybersecurity community. The New York Times reports that this could be the first time that a security executive was held liable for a hacking incident in this way. The episode could ultimately set a new precedent for future cases in which CISOs must face legal consequences over data breaches. Some security professionals have suggested that Sullivan was “scapegoat” for the incident.