Uber CSO Joe Sullivan convicted of concealing 2016 hack
Former security chief faces up to 8 years in prison for trying to disguise the breach as part of a bug bounty programme to avoid disclosure
Joe Sullivan, the former security chief of Uber Technologies, was found guilty on Wednesday by a jury in San Francisco federal court on charges that he concealed a massive data breach of customer and driver records at Uber and failed to report the hack to government authorities.
The jury rejected Sullivan's assertion that other Uber executives knew about the breach and were to blame for not reporting the incident to authorities for more than a year.
The trial came to a close on Friday, and it took the jury more than 19 hours to reach a decision.
"While we obviously disagree with the jury's verdict, we appreciate their dedication and effort in this case," said David Angeli, a lawyer for Sullivan.
"Mr Sullivan's sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people's personal data on the internet," Angeli added.
The Uber breach was first made public in November 2017 when the company CEO Dara Khosrowshahi disclosed that hackers had accessed the personal information of as many as 57 million Uber users and drivers worldwide, including licence numbers of 600,000 Uber drivers in the United States.
In July of this year, as part of an agreement with the US Department of Justice to avoid prosecution, Uber acknowledged hiding the cybersecurity incident.
The prosecutor's office filed charges against Sullivan in 2020, for obstruction of justice and misprision - concealing a crime from law enforcement.
Later, three counts of wire fraud charges were added, but they were dismissed before the trial.
On Wednesday, Sullivan was found guilty on both charges.
Sullivan was terminated from his job at Uber in 2017, and subsequently found employment as the head of security at the internet infrastructure company Cloudflare. However, he resigned from his post there in order to prepare for his trial.
According to federal prosecutors, Sullivan discovered the theft in November 2016, just ten days after testifying before the US Federal Trade Commission (FTC) over a 2014 hack on Uber.
As Sullivan was afraid that disclosure of another data breach at Uber would be detrimental to the firm, he attempted to cover up the theft by pretending that a payment made to the hackers in order to retrieve the data was actually part of a bug bounty programme.
Bug bounty programmes encourage security researchers to find and report flaws in return for financial incentives. But prosecutors said Uber's programme was not permitted to reward "a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems".
Sullivan gave his employees instructions to ensure that the information about the hack remains "tightly controlled".
Only Sullivan and former Uber CEO Travis Kalanick were aware of the full extent of the breach, according to the Department of Justice lawsuit, and they both had a say in the decision to classify it as an authorised disclosure via the bug bounty programme.
There have been no charges brought against Kalanick in this case.
Attorneys for Sullivan argue that Uber made him the scapegoat to protect the reputation of its new CEO, Dara Khosrowshahi, who had made a commitment to improve the company's image.
Angeli, Sullivan's lawyer, said during the trial that Sullivan had told Khosrowshahi about the breach almost immediately.
In 2019, the two individuals responsible for the cyber theft, Brandon Charles Glover and Vasile Mereacre, both entered guilty pleas. During Sullivan's trial last month, Mereacre testified that he and his accomplice intended to extort money from Uber.
"He took many steps to keep the FTC and others from finding out about it," Benjamin Kingsley, an assistant US attorney, said during closing arguments.
"This was a deliberate withholding and concealing of information."
Joel Olson, one of the jurors, said after the trial that the substantial collection of documents put out by the attorneys, including edits to the non-disclosure agreement, showed that Sullivan had attempted to conceal the data breach from law enforcement.
According to Bloomberg, Sullivan faces up to eight years in prison, but is 'likely' to receive a far shorter sentence.