Uber ex-chief security officer convicted over cover-up of 2016 data breach

A federal jury in San Francisco convicted Joseph Sullivan of obstructing justice and concealing awareness that a federal felony experienced been fully commited, federal prosecutors mentioned.

Sullivan stays no cost on bond pending sentencing and could deal with a overall of eight a long time in jail on the two costs when he is sentenced, prosecutors reported.

“Technology firms in the Northern District of California gather and shop huge quantities of facts from users,” U.S. Lawyer Stephanie M. Hinds stated in a statement. “We will not tolerate concealment of crucial data from the community by company executives far more intrigued in safeguarding their track record and that of their businesses than in preserving end users.”

It was considered to be the very first criminal prosecution of a company executive in excess of a info breach.

A law firm for Sullivan, David Angeli, took problem with the verdict.

“Mr. Sullivan’s sole focus — in this incident and all through his distinguished job — has been making sure the safety of people’s personal information on the net,” Angeli advised the New York Times.

An e mail to Uber trying to get comment on the conviction was not immediately returned.

Sullivan was employed as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and workers quickly confirmed that they experienced stolen records on about 57 million users and also 600,000 driver’s license quantities, prosecutors said.

After learning of the breach, Sullivan commenced a plan to conceal it from the public and the Federal Trade Fee, which had been investigating a scaled-down 2014 hack, authorities reported.

In accordance to the U.S. attorney’s business office, Sullivan instructed subordinates that “the tale outdoors of the stability team was to be that ‘this investigation does not exist,’” and organized to shell out the hackers $100,000 in bitcoin in trade for them signing non-disclosure agreements promising not to reveal the hack. He also hardly ever outlined the breach to Uber legal professionals who have been involved with the FTC’s inquiry, prosecutors mentioned.

“Sullivan orchestrated these acts inspite of being aware of that the hackers were being hacking and extorting other organizations as effectively as Uber,” the U.S. attorney’s place of work mentioned.

Uber’s new administration started investigating the breach in the slide of 2017. Even with Sullivan lying to the new main government officer and other people, the fact was uncovered and the breach was manufactured community, prosecutors claimed.

Sullivan was fired alongside with Craig Clark, an Uber attorney he had told about the breach. Clark was given immunity by prosecutors and testified versus Sullivan.

No other Uber executives had been charged in the scenario.

The hackers pleaded guilty in 2019 to personal computer fraud conspiracy expenses and are awaiting sentencing.

Sullivan was convicted of of obstruction of proceedings of the Federal Trade Commission and misprision of felony, meaning concealing knowledge of a felony from authorities.

Meanwhile, some industry experts have questioned how a lot cybersecurity has enhanced at Uber because the breach.

The firm introduced last month that all its products and services have been operational following what security industry experts named a key info breach, claiming there was no evidence the hacker acquired entry to sensitive user facts.

The lone hacker apparently gained access posing as a colleague, tricking an Uber staff into surrendering their qualifications. Screenshots the hacker shared with safety researchers suggest they received whole access to the cloud-primarily based systems where Uber shops delicate consumer and money information.

It is not regarded how considerably data the hacker stole or how extensive they were being inside Uber’s network. There was no indication they destroyed facts.

Signal up for the Fortune Characteristics email checklist so you never skip our greatest options, exclusive interviews, and investigations.