A San Francisco jury has found
Technologies Inc.’s former chief security officer
guilty of criminal obstruction charges for failing to report a 2016 cyber intrusion to federal authorities.
The case was closely watched as a rare instance of a senior cybersecurity executive facing criminal consequences for a decision not to disclose a hacking incident.
The verdict, delivered Wednesday in U.S. federal court, followed a three-week trial. Mr. Sullivan now faces a five-year prison sentence on the obstruction charge and as many as three years in prison on a second charge of failing to report a felony.
The case placed a spotlight on the sometimes gray areas that cybersecurity teams navigate as they respond to hacking incidents. Mr. Sullivan’s lawyers had argued that their client had ultimately protected about 57 million
customer records in 2016, when they were accessed by an anonymous hacker who demanded a $100,000 payment. The money was eventually paid as a “bug bounty” by Mr. Sullivan’s team.
Prosecutors claimed that the payment was an attempt by Mr. Sullivan to cover up the incident and that he took steps to prevent it from being reported to the Federal Trade Commission, which was investigating
cybersecurity practices over an earlier breach at the time. Mr. Sullivan was fired by
in 2017 and charged by federal authorities three years later.
The case centered around Mr. Sullivan’s actions following a November 2016 cybersecurity incident that occurred while
was the subject of an FTC investigation. Anonymous hackers approached Uber, saying they had discovered a “major vulnerability” in Uber and obtained sensitive company data and demanded payment. The next month, Uber paid the hackers, using the bitcoin digital currency, and eventually tracked down their true identity and had them sign nondisclosure agreements.
With the hackers identified and bound by an NDA, Mr. Sullivan’s team felt that the stolen data was protected and the team classified the incident as a bug bounty incident rather than a data breach, his lawyer, David Angeli said during closing arguments on Friday.
Uber’s security team and “Mr. Sullivan believed that their customers’ data was safe and that this was not some incident that needed to be reported,” Mr. Angeli said. “There was no coverup and there was no obstruction.”
But Uber, already under investigation for mishandling customer data in 2014, didn’t inform the FTC of what happened. And Sullivan, according to prosecutors, didn’t inform key members of the legal team of the incident. He also took steps to prevent the fact that hackers had downloaded Uber’s data from being more widely known within the company, prosecutors said.
Uber’s chief executive at the time,
was aware of the incident, according to evidence presented during the trial. Mr. Kalanick stepped down under pressure from investors and was replaced by Uber’s current CEO,
Shortly after taking the reins, Mr. Khosrowshahi decided to look into the 2016 incident after ordering an investigation, he testified during the trial.
Ultimately, he learned that a significant amount of data had been downloaded from the hacker and that the hacker had been paid significantly more than Uber typically awarded for bug bounties, things that Mr. Sullivan had failed to tell him, Mr. Khosrowshahi said.
In November 2017, Mr. Khosrowshahi fired Mr. Sullivan. “I felt I couldn’t trust the man anymore,” he said.
The case captured the attention of cybersecurity professionals because it is extremely unusual for executives to face criminal charges following a hack, said Scott Shackelford, a professor of business law and ethics at Indiana University. “It wasn’t that long ago that it was pretty rare for senior leaders even to be fired in the aftermath of a breach,“ he said.
Lately, Washington has taken a more aggressive approach to policing the technology industry, Mr. Shackelford said. “This could be the first of many criminal prosecutions,” he said.
Corrections & Amplifications
Joseph Sullivan’s surname was misspelled in an earlier version of this story. The complete name of ride-sharing company Uber is Uber Technologies Inc. An earlier version of this story incorrectly referred to the company as Uber Inc. (Corrected on Oct. 5.)
Write to Robert McMillan at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8