Uber’s former security chief found guilty of hiding 2016 data breach
The Uber verdict marks a rare instance where a corporate information security officer was criminally charged with failing to disclose a hacking
Uber’s former security chief on Wednesday was found guilty of hiding a 2016 data breach from authorities and obstructing a Federal Trade Commission investigation into the company’s security practices, according to reports.
Joe Sullivan, 53, who headed security for Facebook before joining Uber, was found guilty in San Francisco federal court after a three-week trial. It marked a rare instance where a corporate information security officer was criminally charged with failing to disclose a hacking.
In his opening argument, Andrew Dawson, an assistant U.S. attorney in the Northern District of California told the court this case was "about cover-up, about payoff and about lies," The Wall Street Journal reported.
A federal judge ruled over the summer that Sullivan must face wire fraud charges over his purported involvement in attempting to cover up the 2016 hacking, exposing personal information of 57 million of the company's drivers and passengers.
The Department of Justice said Sullivan arranged to pay $100,000 in hush money to two hackers, while also trying to hide the hacking from drivers, passengers, and the FTC.
UBER BLAMES HACKING GROUP LAPSUS$ FOR BREACH, SAYS CONTRACTOR'S PASSWORD WAS SOLD ON DARK WEB
A federal judge rejected Sullivan's claim that prosecutors failed to adequately argue he concealed the hacking in an effort to ensure that Uber drivers would not flee and would continue making service fee payments.
The judge also rejected Sullivan's assertion that those who were allegedly hacked were Uber's then-CEO Travis Kalanick and the company's general counsel, but no drivers.
Sullivan was initially indicted for his role in the scheme in September 2020.
Uber had a bounty program created to reward security researchers who report flaws. The program was not, however, designed to conceal data thefts.
The ride-sharing company's current CEO, Dara Khosrowshahi, terminated Sullivan's employment after learning about the extent of his breach.
The company paid $148 million in September 2018 to settle claims by all 50 U.S. states and Washington, D.C., with each alleging Uber was too slow to disclose the hacking.
CLICK HERE TO GET THE FOX BUSINESS APP
Sullivan faces as much as eight years in prison and $500,000 in fines, but U.S. District Judge William Orrick has yet to set a sentencing date.
FOX Business has reached out to Uber and Sullivan's attorney for comment.
FOX Business’ Landon Mion contributed to this report.