Joe Sullivan, the former Uber security chief, was found guilty on Wednesday by a jury in federal court on charges that he did not disclose a breach of customer and driver records to government regulators.
In 2016, while the Federal Trade Commission was investigating Uber over an earlier breach of its online systems, Mr. Sullivan learned of a new breach that affected the Uber accounts of more than 57 million riders and drivers.
The jury found Mr. Sullivan guilty on one count of obstructing the F.T.C.’s investigation and one count of misprision, or acting to conceal a felony from authorities.
The case — believed to be the first time a company executive faced criminal prosecution over a hack — could change how security professionals handle data beaches.
“The way responsibilities are divided up is going to be impacted by this. What’s documented is going to be impacted by this. The way bug bounty programs are designed is going to be impacted by this,” said Chinmayi Sharma, a scholar in residence at the Robert Strauss Center for International Security and Law and a lecturer at the University of Texas at Austin School of Law.
Mr. Sullivan’s trial concluded on Friday, and the jury of six men and six women took more than 19 hours to reach a verdict.
Andrew Dawson, an assistant U.S. attorney, declined to comment on the verdict. Mr. Sullivan’s lawyer and Uber did not immediately respond to requests for comment
Mr. Sullivan was deposed by the F.T.C. as it investigated a 2014 breach of Uber’s online systems. Ten days after the deposition, he received an email from a hacker who claimed to have found another security vulnerability in its systems.
Mr. Sullivan learned that the hacker and an accomplice had downloaded the personal data of about 600,000 Uber drivers and additional personal information associated with 57 million riders and drivers, according to court testimony and documents. The hackers pressured Uber to pay them at least $100,000.
Mr. Sullivan’s team referred them to Uber’s bug bounty program, a way of paying “white hat” researchers to report security vulnerabilities. The program capped payouts at $10,000, according to court testimony and documents. Mr. Sullivan and his team paid the hackers $100,000 and had them sign a nondisclosure agreement.
During his testimony, one of the hackers, Vasile Mereacre, said he was trying to extort money from Uber.
Uber did not publicly disclose the incident or inform the F.T.C. until a new chief executive, Dara Khosrowshahi, joined in the company in 2017. The two hackers pleaded guilty to the hack in October 2019.
States typically require companies to disclose breaches if hackers download personal data and a certain number of users are affected. There is no federal law requiring companies or executives to reveal breaches to regulators.
Federal prosecutors argued that Mr. Sullivan knew that revealing the new hack would extend the F.T.C. investigation and hurt his reputation and that he concealed the hack from the F.T.C.
“He took many steps to keep the F.T.C. and others from finding out about it,” Benjamin Kingsley, an assistant U.S. attorney, said during closing arguments on Friday. “This was a deliberate withholding and concealing of information.”
Mr. Sullivan did not reveal the 2016 hack to Uber’s general counsel, according to court testimonies and documents. He did discuss the breach with another Uber lawyer, Craig Clark.
Like Mr. Sullivan, Mr. Clark was fired by Mr. Khosrowshahi after the new chief executive learned about the details of the breach. Mr. Clark was given immunity by federal prosecutors in exchange for testifying against Mr. Sullivan.
Mr. Clark testified that Mr. Sullivan had told the Uber security team that they needed to keep the breach secret and that Mr. Sullivan had changed the nondisclosure agreement signed by the hackers to make it falsely seem that the hack was white-hat research.
Mr. Sullivan said he would discuss the breach with Uber’s “A Team” of top executives, according to Mr. Clark’s testimony. He shared the matter with only one member of the A Team: the chief executive at the time, Travis Kalanick. Mr. Kalanick approved the $100,000 payment to the hackers, according to court documents.
Lawyers for Mr. Sullivan argued that he had merely been doing his job.
They argued that Mr. Sullivan and others had used the bug bounty program and the nondisclosure agreement to prevent user data from being leaked — and to identify the hackers — and that Mr. Sullivan had not concealed the incident from the F.T.C.
TikTok’s “Transparency and Accountability Center” + ChatGPT’s Origin Story + Kevin Systrom’s Artifact App
Rate this post Casey becomes a content moderator, Kevin breaks some news on OpenAI and Instagram’s co-founder reveals his new...
How ChatGPT Kicked Off an A.I. Arms Race
Rate this post Even inside the company, the chatbot’s popularity has come as something of a shock. Source link
‘My Watch Think’s I’m Dead’
Rate this post 911 dispatchers are buried under an avalanche of false, automated distress calls from skiers and other Apple...
Tech’s Biggest Companies Discover Austerity, to the Relief of Investors
Rate this post After years of expansion and billions in profits, Big Tech is pulling back from its famously lavish...