A jury on Wednesday found Uber’s former security chief guilty of federal crimes for covering up a massive hack that compromised personal information of users and drivers, US media reports said.
Joseph Sullivan was found guilty of obstructing the work of the Federal Trade Commission and failing to notify authorities of a crime when he covered up a 2016 break-in instead of reporting it, according to news outlets.
Sullivan could be sentenced to prison.
Sullivan tried to pay off the hackers by funneling money through a “bug bounty” program that rewards developers for disclosing security vulnerabilities without doing any harm, according to the criminal complaint.
Uber paid the hackers $100,000 in bitcoin cryptocurrency in December 2016, and Sullivan wanted them to sign nondisclosure agreements promising to keep mum about the case, prosecutors said.
Sullivan was Uber’s chief security officer from April 2015 to November 2017.
The criminal complaint alleges that Sullivan misled Uber’s new CEO, Dara Khosrowshahi, who was appointed in mid-2017 to replace Travis Kalanick, about the breach.
“Silicon Valley is not the Wild West,” U.S. Attorney David Anderson for the Northern District of California said in a statement when the charges were filed.
“We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Two members of Uber’s information security team who “led the response” that included not notifying users about the data breach have been fired from the San Francisco-based company, according to Khosrowshahi.
Uber’s chief said he learned that outsiders hacked into a cloud-based server used by the company for data and downloaded a significant amount of information.
The stolen files included names, email addresses and cellphone numbers for millions of riders, as well as the names and driver’s license information of about 600,000 drivers, according to Uber.
Co-founder and ousted chief Kalanick was informed of the breach shortly after it was discovered, but did not go public until after Khosrowshahi learned of the incident, according to an AFP source.
Uber did not respond to a request for comment on the verdict.
Casey Ellis, founder and CTO at Bugcrowd, a San Francisco-based leader in crowd-sourced cybersecurity, said: “It’s a major precedent that has already sent shockwaves through the CISO (chief information security officer) community.
“It highlights the personal responsibility that comes with being a CISO in a dynamic political, legal and adversarial environment.”