Joe Sullivan, the previous Uber safety chief, was discovered responsible on Wednesday by a jury in federal court docket on expenses that he didn’t disclose a breach of buyer and driver data to authorities regulators.
In 2016, whereas the Federal Commerce Fee was investigating Uber over an earlier breach of its on-line techniques, Mr. Sullivan discovered of a brand new breach that affected the Uber accounts of greater than 57 million riders and drivers.
The jury discovered Mr. Sullivan responsible on one depend of obstructing the F.T.C.’s investigation and one depend of misprision, or performing to hide a felony from authorities.
The case — believed to be the primary time an organization govt confronted felony prosecution over a hack — may change how safety professionals deal with information breaches.
“The way in which obligations are divided up goes to be impacted by this. What’s documented goes to be impacted by this. The way in which bug bounty packages are designed goes to be impacted by this,” mentioned Chinmayi Sharma, a scholar in residence on the Robert Strauss Middle for Worldwide Safety and Legislation and a lecturer on the College of Texas at Austin Faculty of Legislation.
Mr. Sullivan’s trial concluded on Friday, and the jury of six males and 6 girls took greater than 19 hours to achieve a verdict.
“Whereas we clearly disagree with the jury’s verdict, we admire their dedication and energy on this case,” mentioned David Angeli, a lawyer for Mr. Sullivan. “Mr. Sullivan’s sole focus — on this incident and all through his distinguished profession — has been making certain the security of individuals’s private information on the web.”
Stephanie M. Hinds, the U.S. legal professional for the Northern District of California, mentioned in an announcement: “We won’t tolerate concealment of necessary info from the general public by company executives extra occupied with defending their repute and that of their employers than in defending customers. The place such conduct violates the federal legislation, will probably be prosecuted.”
Uber didn’t instantly reply to requests for remark.
Mr. Sullivan was deposed by the F.T.C. because it investigated a 2014 breach of Uber’s on-line techniques. Ten days after the deposition, he obtained an e mail from a hacker who claimed to have discovered one other safety vulnerability in its techniques.
Mr. Sullivan discovered that the hacker and an confederate had downloaded the non-public information of about 600,000 Uber drivers and extra private info related to 57 million riders and drivers, in keeping with court docket testimony and paperwork. The hackers pressured Uber to pay them at the very least $100,000.
Mr. Sullivan’s workforce referred them to Uber’s bug bounty program, a approach of paying “white hat” researchers to report safety vulnerabilities. This system capped payouts at $10,000, in keeping with court docket testimony and paperwork. Mr. Sullivan and his workforce paid the hackers $100,000 and had them signal a nondisclosure settlement.
Throughout his testimony, one of many hackers, Vasile Mereacre, mentioned he was making an attempt to extort cash from Uber.
Uber didn’t publicly disclose the incident or inform the F.T.C. till a brand new chief govt, Dara Khosrowshahi, joined the corporate in 2017. The 2 hackers pleaded responsible to the hack in October 2019.
States sometimes require firms to reveal breaches if hackers obtain private information and a sure variety of customers are affected. There isn’t any federal legislation requiring firms or executives to disclose breaches to regulators.
Federal prosecutors argued that Mr. Sullivan knew that revealing the brand new hack would prolong the F.T.C. investigation and harm his repute and that he hid the hack from the F.T.C.
“He took many steps to maintain the F.T.C. and others from discovering out about it,” Benjamin Kingsley, an assistant U.S. legal professional, mentioned throughout closing arguments on Friday. “This was a deliberate withholding and concealing of data.”
Mr. Sullivan didn’t reveal the 2016 hack to Uber’s normal counsel, in keeping with court docket testimonies and paperwork. He did focus on the breach with one other Uber lawyer, Craig Clark.
Like Mr. Sullivan, Mr. Clark was fired by Mr. Khosrowshahi after the brand new chief govt discovered concerning the particulars of the breach. Mr. Clark was given immunity by federal prosecutors in alternate for testifying towards Mr. Sullivan.
Mr. Clark testified that Mr. Sullivan had advised the Uber safety workforce that they wanted to maintain the breach secret and that Mr. Sullivan had modified the nondisclosure settlement signed by the hackers to make it falsely appear that the hack was white-hat analysis.
Mr. Sullivan mentioned he would focus on the breach with Uber’s “A Group” of high executives, in keeping with Mr. Clark’s testimony. He shared the matter with just one member of the A Group: the chief govt on the time, Travis Kalanick. Mr. Kalanick permitted the $100,000 cost to the hackers, in keeping with court docket paperwork.
Legal professionals for Mr. Sullivan argued that he had merely been doing his job.
They argued that Mr. Sullivan and others had used the bug bounty program and the nondisclosure settlement to stop person information from being leaked — and to determine the hackers — and that Mr. Sullivan had not hid the incident from the F.T.C.
After the trial, one of many jurors, Joel Olson, mentioned that the in depth array of paperwork introduced by the legal professionals within the case, together with edits to the nondisclosure settlement, made it clear that Mr. Sullivan had hidden the breach from authorities. “It was all dated and timed and documented very clearly,” he mentioned.