Former Uber security chief convicted of covering up data breach

Uber’s previous head of protection has been convicted of covering up a 2016 data breach at the rideshare giant, hiding specifics from US regulators and paying off a pair of hackers in return for their discretion.

The trial, closely viewed in cyber protection circles, is thought to be the first criminal prosecution of a corporation government in excess of the dealing with of a info breach.

Joe Sullivan, who was fired in 2017 above the incident, was found responsible on Tuesday by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the motor vehicle-booking assistance in excess of a unique cyber safety lapse that had happened two several years earlier.

Jurors also convicted Sullivan of a second depend similar to possessing information of but failing to report the 2016 breach to the acceptable government authorities.

The incident sooner or later turned general public in 2017 when Dara Khosrowshahi, who experienced just taken over as main govt, disclosed aspects of the attack.

Prosecutors claimed Sullivan had taken methods to make positive details compromised in the attack would not be discovered. According to courtroom paperwork, two hackers approached Sullivan’s staff to notify Uber of a safety flaw that exposed the individual info of nearly 60mn drivers and riders on the system.

The hackers, a single of whom testified during the trial, turned down the company’s provide of $10,000 — the maximum payout underneath Uber’s “bug bounty” plan made to really encourage private disclosure of stability flaws — and threatened to launch the information if a greater rate was not paid out.

The functions negotiated a $100,000 payment, which demanded signing a non-disclosure arrangement and a commitment to delete any consumer information that experienced been received. The two hackers later pleaded guilty to the attack.

Legal professionals for Sullivan defended his actions in courtroom, indicating he had acted to secure consumers and had notified his superiors — such as then-CEO Travis Kalanick — of the information breach.

The end result will send shockwaves via the cyber safety field, increasing issues in excess of who really should acquire obligation when detrimental breaches occur.

“This verdict is misplaced,” claimed Katie Moussouris, founder and main executive of Luta Security, which specialises in running “bug bounty” programmes for big organisations. “The purpose of main security officer are unable to grow to be main sacrificial officer if we want those roles to be successful.”

Uber did not reply to requests for comment.

“Sullivan affirmatively labored to disguise the information breach from the Federal Trade Commission and took steps to protect against the hackers from getting caught,” mentioned Stephanie Hinds, US lawyer for the northern district of California, in a statement.

“We will not tolerate concealment of essential data from the community by company executives extra fascinated in preserving their standing and that of their employers than in protecting users,” she added.

Sullivan, a former government prosecutor specialising in cyber criminal offense, has formerly worked at Fb and Cloudflare.

A day for his sentencing has not yet been established. He could encounter up to eight many years in prison.