A San Francisco jury found for Uber Inc
Former chief security officer Joseph Sullivan has pleaded guilty to criminal obstruction charges for failing to report a 2016 cyber intrusion to federal authorities.
The case has been closely watched as a rare instance of a senior cybersecurity executive facing criminal consequences for a decision not to disclose a hacking incident.
The verdict, handed down Wednesday in US federal court, followed a three-week trial. Mr. Sullivan now faces five years in prison on the obstruction charge and up to three years in prison on a second charge of failing to report a felony.
The case has put a spotlight on the sometimes gray areas that cybersecurity teams navigate as they respond to hacking incidents. Mr Sulilvan’s lawyers had argued that their client had finally protected some 57 million Uber customer records in 2016 when they were accessed by an anonymous hacker who demanded a $100,000 payment. The money was eventually paid as a “bug donation” by Mr Sullivan’s team.
Prosecutors alleged that the payment was an attempt by Mr. Sullivan to cover up the incident and that he took steps to prevent his complaint to the Federal Trade Commission, which was investigating Uber’s cybersecurity practices for an earlier breach at the time.
Mr. Sullivan was fired by Uber in 2017 and charged by federal authorities three years later.
The case focused on Mr. Sullivan’s actions following a November 2016 cybersecurity incident that occurred while Uber was under investigation by the FTC. Anonymous hackers approached Uber, saying they had discovered a “significant vulnerability” in Uber and obtained sensitive company data and demanded payment. The following month, Uber paid the hackers, using the digital currency bitcoin, and eventually identified their true identities and made them sign non-disclosure agreements.
With the hackers identified and bound by an NDA, Mr. Sullivan’s team believed the stolen data was protected, and the team classified the incident as a bug bounty rather than a data breach, his lawyer, David Angeli, said in the during closing arguments on Friday.
Uber’s security team and ‘Mr. Sullivan believed their customer data was secure and this was not a reportable incident,” Mr Angeli said. “There was no cover-up and there was no obstruction.”
However, Uber, which is already under investigation for mishandling customer data in 2014, did not tell the FTC what happened. And Sullivan, according to prosecutors, did not inform key members of the legal team about the incident. He also took steps to prevent the fact that the hackers downloaded Uber data from becoming more widely known within the company, prosecutors said.
Uber’s then-CEO Travis Kalanick was aware of the incident, according to evidence presented during the trial. Mr Kalanick resigned under pressure from investors and was replaced by Uber’s current chief executive, Dara Khosrowshahi. Shortly after taking over, Mr Khosrowshahi decided to look into the 2016 incident after ordering an investigation, he testified during the trial.
Eventually, he learned that a significant amount of data had been obtained by the hacker and that the hacker had been paid significantly more than Uber typically awarded for bug bounties, things Mr. Sullivan had not told him, Mr. Khosrowshahi said.
In November 2017, Mr Khosrowshahi fired Mr Sullivan. “I felt like I couldn’t trust the man anymore,” she said.
The case drew the attention of cybersecurity professionals because it is highly unusual for executives to face criminal charges after a hack, said Scott Shackelford, a professor of business law and ethics at Indiana University. “It wasn’t that long ago that it was very rare for senior leaders to even be fired after a breach,” he said.
Lately, Washington has taken a more aggressive approach to policing the technology industry, Mr. Shackelford said. “This could be the first of many criminal charges,” he said.
Write to Robert McMillan at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8