The previous Uber safety chief was discovered responsible of protecting up a 2016 information breach on the ride-sharing large, hiding particulars from US regulators and paying a pair of hackers in return of their discretion.
The lawsuit, carefully watched in cybersecurity circles, can be the primary legal prosecution of a company government for dealing with a knowledge breach.
Joe Sullivan, who was fired in 2017 over the incident, was discovered responsible on Tuesday by a San Francisco jury of obstruction of an investigation by the Federal Commerce Fee. On the time of the 2016 breach, the regulator was investigating the automobile reservation service over one other cybersecurity breach that occurred two years earlier.
Jurors additionally convicted Sullivan on a second rely associated to figuring out however failing to report the 2016 offense to the suitable authorities authorities.
The incident lastly turned public data in 2017 when Dara Khosrowshahi, who had simply taken over as chief government, revealed the small print of the assault.
Prosecutors mentioned Sullivan took steps to make sure that information compromised within the assault wouldn’t come to gentle. Based on courtroom paperwork, two hackers approached Sullivan’s staff to inform Uber a couple of safety breach that uncovered private data almost 60 minutes of drivers and riders on the marina.
The hackers, one in every of whom testified through the trial, refused the corporate’s provide of $10,000, the utmost cost allowed by UberThe “bug bounty” coverage was designed to encourage non-public disclosure of safety vulnerabilities – and threatened to leak the information if a better price was not paid.
The events negotiated a cost of $100,000, which required the signing of a nondisclosure settlement and a dedication to delete all person information that had been obtained. Each pirates later pleaded responsible to the assault.
Sullivan’s attorneys defended his actions in courtroom, saying he acted to guard customers and knowledgeable his superiors – together with then-CEO Travis Kalanick – of the information breach.
The consequence will ship shock waves via the cyber safety business, elevating the query of who ought to bear accountability for dangerous violations.
“This verdict is misplaced,” mentioned Katie Moussouris, founder and chief government of Luta Safety, which focuses on working “bug bounty” packages for big organizations. “The chief safety function can’t grow to be a sacrificial chief if we wish these roles to be efficient.”
Uber didn’t reply to requests for remark.
“Sullivan labored to cover the information breach from the Federal Commerce Fee and took steps to stop the hackers from being arrested,” Stephanie Hinds, a U.S. lawyer for the Northern District of California, mentioned in an announcement.
“We is not going to tolerate the withholding of fabric data from the general public by company executives who’re extra involved with defending their fame and that of their employers than defending customers,” she added.
Sullivan, a former authorities prosecutor specializing in cybercrime, beforehand labored at Fb and Cloudflare.
The date of his sentencing has not but been set. He faces as much as eight years in jail.