Jury Convicts Ex-Uber Security Chief in FTC Case

Uber’s ex chief security officer Joseph Sullivan has been found guilty by a San Francisco jury of criminal obstruction after not reporting a 2016 cyber intrusion to the federal authorities.

This case had been a rare one in which a senior cybersecurity executive is facing criminal charges for not disclosing a hacking incident. Sullivan will face a five-year prison sentence for obstruction, and as much as three years in prison on another charge of not reporting a felony.

The case shows the occasional gray areas faced by cybersecurity officials trying to respond to hacking incidents, with Sullivan’s lawyers arguing that he had protected around 57 million Uber customer records in 2016 when an anonymous hacker had demanded a $100,000 payment. Sullivan’s team was behind a “bug bounty” for that incident.

Prosecutors said that payment was a way for Sullivan to try and cover up the incident, saying he tried to prevent that from being reported to the Federal Trade Commission, which had been looking into Uber’s cybersecurity practices at the time. Sullivan was fired by Uber in 2017, and the charges came in 2020.

The case focused on Sullivan’s actions after the 2016 incident, in which hackers had told Uber they had found a “major vulnerability” and had gotten hold of sensitive company data, demanding payment. Uber did pay the hackers with bitcoin, eventually also tracking down their true identity and making them sign nondisclosure agreements.

Sullivan’s lawyer, David Angeli, said because the hackers had been identified and bound through an NDA, Sullivan’s team felt like everything was protected enough, and didn’t warrant being classed as a data breach.

Uber didn’t respond to a request for comment from PYMNTS.

In September, Uber blamed extortion gang Lapsus$ for the breach that infiltrated its external network recently, PYMNTS wrote.

Read more: Uber Points to Lapsus$ Gang as Reason for Breach

The breach encompassed its technology systems, Amazon Web Services, Google clouds and VMware systems. The Lapsus$ operation, based in Brazil and the U.K., has been associated with targeting various tech companies like Microsoft, Cisco Systems, Okta and Samsung.

Uber said in a blog post that it had “not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history.”

The company also said it encrypts credit card information and other information for more protection.