Joe Sullivan, the former Uber security chief, was found guilty on Wednesday by a jury in federal court on charges that he did not disclose a breach of customer and driver records to government regulators.
In 2016, while the Federal Trade Commission was investigating Uber over an earlier breach of its online systems, Mr. Sullivan learned of a new breach that affected the Uber accounts of more than 57 million riders and drivers.
The jury found Mr. Sullivan guilty on one count of obstructing the FTC’s investigation and one count of misprision, or acting to conceal a felony from authorities.
The case — believed to be the first time a company executive faced criminal prosecution over a hack — could change how security professionals handle data breaches.
“The way responsibilities are divided up is going to be impacted by this. What’s documented is going to be impacted by this. The way bug bounty programs are designed is going to be impacted by this,” said Chinmayi Sharma, a scholar in residence at the Robert Strauss Center for International Security and Law and a lecturer at the University of Texas at Austin School of Law.
Mr. Sullivan’s trial concluded on Friday, and the jury of six men and six women took more than 19 hours to reach a verdict.
“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case,” said David Angeli, a lawyer for Mr. Sullivan. “Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet.”
Stephanie M. Hinds, the US attorney for the Northern District of California, said in a statement: “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users . Where such conduct violates the federal law, it will be prosecuted.”
Uber did not immediately respond to requests for comment.
Mr. Sullivan was filed by the FTC as it investigated a 2014 breach of Uber’s online systems. Ten days after the deposition, he received an email from a hacker who claimed to have found another security vulnerability in its systems.
Mr. Sullivan learned that the hacker and an accomplished had downloaded the personal data of about 600,000 Uber drivers and additional personal information associated with 57 million riders and drivers, according to court testimony and documents. The hackers pressured Uber to pay them at least $100,000.
Mr. Sullivan’s team referred them to Uber’s bug bounty program, a way of paying “white hat” researchers to report security vulnerabilities. The program capped pays out at $10,000, according to court testimony and documents. Mr. Sullivan and his team paid the hackers $100,000 and had them sign a nondisclosure agreement.
During his testimony, one of the hackers, Vasile Mereacre, said he was trying to extort money from Uber.
Uber did not publicly disclose the incident or inform the FTC until a new chief executive, Dara Khosrowshahi, joined the company in 2017. The two hackers pleaded guilty to the hack in October 2019.
States typically require companies to disclose breaches if hackers download personal data and a certain number of users are affected. There is no federal law requiring companies or executives to reveal breaches to regulators.
Federal prosecutors argued that Mr. Sullivan knew that revealing the new hack would extend the FTC investigation and hurt his reputation and that he concealed the hack from the FTC
“He took many steps to keep the FTC and others from finding out about it,” Benjamin Kingsley, an assistant US attorney, said during closing arguments on Friday. “This was a deliberate withholding and concealing of information.”
Mr. Sullivan did not reveal the 2016 hack to Uber’s general counsel, according to court testimonies and documents. He did discuss the breach with another Uber lawyer, Craig Clark.
Like Mr. Sullivan, Mr. Clark was fired by Mr. Khosrowshahi after the new chief executive learned about the details of the breach. Mr. Clark was given immunity by federal prosecutors in exchange for testifying against Mr. Sullivan.
Mr. Clark tested that Mr. Sullivan had told the Uber security team that they needed to keep the breach secret and that Mr. Sullivan had changed the nondisclosure agreement signed by the hackers to make it falsely seem that the hack was white-hat research.
Mr. Sullivan said he would discuss the breach with Uber’s “A Team” of top executives, according to Mr. Clark’s testimony. He shared the matter with only one member of the A Team: the chief executive at the time, Travis Kalanick. Mr. Kalanick approved the $100,000 payment to the hackers, according to court documents.
Lawyers for Mr. Sullivan argued that he had merely been doing his job.
They argued that Mr. Sullivan and others had used the bug bounty program and the nondisclosure agreement to prevent user data from being leaked — and to identify the hackers — and that Mr. Sullivan had not concealed the incident from the FTC
After the trial, one of the jurors, Joel Olson, said that the extensive array of documents presented by the lawyers in the case, including edits to the nondisclosure agreement, made it clear that Mr. Sullivan had hidden the breach from authorities. “It was all dated and timed and documented very clearly,” he said.