Following the 2016 data breach at Uber, Joe Sullivan, the company's former head of security, was found guilty of federal obstruction of justice for hiding the cybersecurity incident from the Federal Trade Commission, as per The Guardian.
A jury in a federal court in San Francisco convicted Sullivan for concealing the 2016 data breach for more than a year.
Sullivan's argument that other Uber executives knew about the data breach was rejected by the jury. The former security head's claims that the other executives are responsible for not publicly disclosing the breach were likewise rejected.
Jury Convicts Sullivan of Obstruction of Justice, Concealing a Felony
Aside from federal obstruction for concealing the breach, Sullivan was also convicted for "actively hiding a felony by authorizing payments to the hacker responsible," as per CNET.
Sullivan, who was fired from Uber in 2017, did not disclose the breach that occurred in the company that compromised the data of 57 million drivers and users of the ride-hailing app.
Among the data compromised are names, email addresses, and driver's license numbers.
The data breach in Uber happened in October 2016. However, it remained concealed until November 2017.
According to CNET, Uber discovered that a hack occurred in November 2016. During the time, Sullivan was still head of security. He paid $100,000 for the threat actor to delete the data.
Sullivan's case is believed to be the first time a company's executive has faced criminal charges over a data breach.
His trial, which lasted for three weeks, was concluded on Friday. According to Forbes, the jury spent around 19 hours coming up with a verdict.
According to the Department of Justice, for the obstruction of justice charge, Sullivan is expected to face a maximum of five years in prison. In addition, for failing to report a crime, he will be imprisoned for another three years.
Read Also: Tech giants deny PRISM involvement but can they be trusted again?
Sullivan Arranged for the Hackers Payment of $100,000
In 2020, criminal charges against Sullivan were filed by the DOJ. When the case was filed, it was alleged that he arranged for the hackers' payment of $100,000 in bitcoin.
The prosecutors also alleged that Sullivan traced the hackers to make them sign nondisclosure agreements. The said agreements falsely stated that they had not stolen data from Uber.
Eventually, in July, Uber took responsibility for concealing the data breach. Likewise, the ride-hailing company agreed to cooperate with the prosecution of Sullivan regarding his role in hiding the data breach.
Uber's decision to accept the responsibility is part of a settlement with US prosecutors. This is a necessary step in order to avoid criminal charges.
A settlement was reached between Uber, all 50 US states, and the District of Columbia in September 2018. The company agreed to pay $148 million for failing to report the data breach.
In many US states, the law requires public disclosures of security breaches. Regulations of most states mandate the company should notify "in the most expedient time possible and without unreasonable delay."
According to CNET, Uber did not issue a statement when asked for a comment. Likewise, as per The Guardian, Sullivan's lawyer David Angeli and the FTC did not give an immediate response on the matter.
Related Article: Uber Enters Non-Prosecution Agreement with FTC Over 2016 Data Breach That Exposed Data of 57 Million People