Former Uber security chief found guilty of covering up massive data breach

Joe Sullivan, Uber's former security chief, has been convicted of a count for concealing a massive hack suffered by the ride-hailing company in 2016, as well as another related to obstructing a Federal Trade Commission investigation into the breach.

Sullivan was fired in 2017 over the incident, which was said to have affected the personal data of over 57 million customers and drivers. He is now facing up to eight years in prison. 

According to the criminal complaint, Uber paid the hackers $100,000 (£88,670) in Bitcoin in December 2016, through a 'bug bounty' program that rewards developers for revealing security vulnerabilities.

Sullivan wanted them to sign non-disclosure agreements promising to keep mum about the affair, prosecutors said, stressing that he had taken steps to make sure data compromised in the attack would not be revealed.

The hackers later pleaded guilty for their role in the incident and one of them testified during Sullivan's trial.  

"Silicon Valley is not the Wild West," US Attorney David Anderson for the Northern District of California said in a statement when the charges were filed. "We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments."

The trial is said to be the first criminal prosecution of a company executive over the handling of a data breach.

The criminal complaint also accused Sullivan of deceiving Uber's new chief executive Dara Khosrowshahi, appointed in mid-2017 to replace Travis Kalanick, about the breach. The incident eventually became public that same year, when Khosrowshahi disclosed details of the attack.

Khosrowshahi testified that after discovering inconsistencies in Sullivan’s account of what happened, he decided it was time to replace his security chief. “I couldn’t trust his judgment anymore,” he said. Sullivan was fired in 2017. 

Under US federal and state laws, companies are required to promptly disclose data breaches. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a different breach that had taken place in 2014.

Uber’s mishandling of the 2016 attack led to a lawsuit that concluded when the company paid $148m (£131m) as part of a settlement with all 50 states, which at the time was the biggest data-breach payout in US history.

“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Stephanie Hinds, US attorney for San Francisco, said in an emailed statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”

Sullivan’s defence argued that he had acted to protect users and had notified his superiors – including then-CEO Kalanick – and the company's legal team of the data breach, before it was made public. 

However, prosecutors argued that Sullivan was well aware of the requirements to disclose the breach, especially after the company’s previous dealings with the FTC. 

“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case. Mr Sullivan’s sole focus – in this incident and throughout his distinguished career – has been ensuring the safety of people’s personal data on the internet,” said David Angeli, a lawyer for Sullivan. “We will evaluate next steps in the coming days."

In 2017, the company forced its co-founder Kalanick out, due to the large amounts of controversies it faced regarding its practices, from allegations of sexual harassment to data breach scandals.

Earlier this year, Uber came under fire after The Guardian published over 124,000 documents exposing how Uber courted political leaders in several countries to relax labour and taxi laws, thwart law enforcement investigations and exploited violence against drivers to support its global expansion, known as the 'Uber Files'. 

In response to the investigation, Uber acknowledged “mistakes” and stated that its “past behaviour wasn’t in line with present values” and that it is a “different company” today.