Former Uber security chief Joe Sullivan was found guilty Wednesday by a federal jury of failing to disclose breaches of customer and driver records to government regulators.
In 2016, when the Federal Trade Commission was investigating a previous breach into Uber’s online systems, Sullivan learned of a new breach that affected the Uber accounts of more than 57 million passengers and drivers. rice field.
A jury found Mr. Sullivan guilty on one count of obstructing an FTC investigation and on one count of acting to conceal a felony from authorities.
The case, believed to be the first time a corporate executive has been criminally prosecuted for hacking, could change the way security professionals deal with data breaches.
“The way responsibilities are shared will be affected by this. What is documented will be affected by this. The way bug bounty programs are designed will be affected by this,” he said. Chinmayi Sharma, researcher at the Robert Strauss Center for International Security and Law and lecturer at the University of Texas at Austin School of Law, said.
Sullivan’s trial ended Friday, and it took more than 19 hours for a jury of six men and six women to reach a verdict.
Sullivan’s attorney, David Angeli, said: “Mr. Sullivan’s sole focus throughout this incident and his illustrious career has been to ensure the safety of people’s personal data on the Internet.”
Assistant U.S. Attorney Andrew Dawson declined to comment on the verdict. Uber did not immediately respond to a request for comment.
Sullivan was fired by the FTC after it investigated Uber’s online system breach in 2014. Ten days after his deposition, he received an email from a hacker who claimed to have discovered another security vulnerability in his system.
Sullivan learned that hackers and accomplices downloaded the personal data of approximately 600,000 Uber drivers and additional personal information related to 57 million passengers and drivers, according to court testimony and documents. rice field. The hacker said he pressured Uber to pay him at least $100,000.
Sullivan’s team introduced them to Uber’s bug bounty program. This is a way to pay “white hat” researchers to report security vulnerabilities. According to court testimony and documents, the program capped payments at $10,000. Sullivan and his team paid the hacker his $100,000 and had him sign a non-disclosure agreement.
In testimony, one of the hackers, Vasile Mereacre, said he was trying to extort money from Uber.
Uber did not publicly disclose the incident or notify the FTC until new CEO Dara Khosrowshahi joined the company in 2017. The two hackers pleaded guilty to hacking in October 2019.
When hackers download personal data and a certain number of users are affected, states typically require companies to disclose the breach. There is no federal law requiring companies or management to disclose violations to regulators.
Federal prosecutors allege that Sullivan knew that revealing new hacks would extend the FTC’s investigation and damage his reputation, and that he hid the hacks from the FTC.
“He took a number of steps to prevent the FTC and others from knowing about it,” U.S. Assistant Attorney Benjamin Kingsley said in closing arguments Friday. It was a tangible withholding and concealment of information.โ
Sullivan did not disclose the 2016 hack to Uber’s legal counsel, according to court testimony and documents. He discussed the violation with another of his Uber attorneys, Craig Clark.
Like Sullivan, Clark was fired by Clark after Khosrowshahi learned the details of the breach. Clark was granted immunity from federal prosecutors in exchange for testifying against Sullivan.
Clark told Uber’s security team that Sullivan had to keep the leak confidential, and Sullivan changed the non-disclosure agreement signed by the hackers, falsely claiming the hack was white hat research. He testified that he pretended.
Sullivan said he would discuss the breach with management of Uber’s “A Team,” according to Clark’s testimony. He only shared the issue with his one member of the A-Team, then-CEO Travis Kalanick. Kalanick authorized a $100,000 payment to the hackers, according to court documents.
Sullivan’s lawyers insisted he was just doing his job.
They argued that Sullivan and others used bug bounty programs and non-disclosure agreements to prevent user data leaks and identify hackers, and that Sullivan did not hide the incident from the FTC.