In what is thought to be a first, an executive at a company has been found guilty of charges relating to concealing a hack. Joe Sullivan, Uber’s former chief security officer, authorized payments to the perpetrators of a 2016 data breach that saw the personal details of 50 million Uber customers and 7 million drivers stolen.
The Washington Post reports that a jury found Sullivan—a former prosecutor of cybercrimes for the San Francisco US attorney’s office—guilty of obstructing justice for not revealing the October 26, 2016, breach to the FTC; companies are required to disclose data breaches under state and federal laws. He was also found guilty of actively hiding a felony, or misprision.
The hackers emailed Uber anonymously in 2016, informing it that they had accessed the company’s Amazon Web Services (AWS) storage and downloaded swathes of data, which included names, email addresses, and phone numbers, along with 600,000 US drivers’ license numbers. It later emerged that they achieved this by accessing a private GitHub coding site used by Uber software engineers and used the login credentials they obtained there.
The hackers were directed to Uber’s bug bounty program, but its maximum $10,000 reward didn’t satisfy the criminals, who wanted a six-figure sum in return for deleting the stolen info and keeping quiet about the incident. Already under FTC investigation over a similar 2014 breach, Uber agreed to a $100,000 payment in Bitcoin under the guise of it being a bug bounty payment. The two hackers were later arrested and pleaded guilty to hacking charges.
The hack only became public knowledge in November 2017 when new CEO Dara Khosrowshahi disclosed it and fired Sullivan. Prosecutors claim Sullivan kept the breach hidden to protect his reputation.
“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Stephanie Hinds, US attorney for San Francisco, said in an email to Bloomberg. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”
Sullivan faces up to eight years in prison but is reportedly likely to receive a much shorter sentence.
Uber confirmed it suffered another data breach last month that could have been as bad as or worse than the 2016 incident. It was carried out by the same 18-year-old hacker behind the GTA 6 leak, who has since been arrested.