Joe Sullivan, the previous Uber safety chief, was discovered responsible on Wednesday by a jury in federal court docket on prices that he didn’t disclose a breach of buyer and driver information to authorities regulators.
In 2016, whereas the Federal Commerce Fee was investigating Uber over an earlier breach of its on-line techniques, Mr. Sullivan realized of a brand new breach that affected the Uber accounts of greater than 57 million riders and drivers.
The jury discovered Mr. Sullivan responsible on one depend of obstructing the F.T.C.’s investigation and one depend of misprision, or performing to hide a felony from authorities.
The case — believed to be the primary time an organization govt confronted felony prosecution over a hack — might change how safety professionals deal with information seashores.
“The best way duties are divided up goes to be impacted by this. What’s documented goes to be impacted by this. The best way bug bounty packages are designed goes to be impacted by this,” stated Chinmayi Sharma, a scholar in residence on the Robert Strauss Heart for Worldwide Safety and Legislation and a lecturer on the College of Texas at Austin College of Legislation.
Mr. Sullivan’s trial concluded on Friday, and the jury of six males and 6 ladies took greater than 19 hours to succeed in a verdict.
Andrew Dawson, an assistant U.S. legal professional, declined to touch upon the decision. Mr. Sullivan’s lawyer and Uber didn’t instantly reply to requests for remark
Mr. Sullivan was deposed by the F.T.C. because it investigated a 2014 breach of Uber’s on-line techniques. Ten days after the deposition, he obtained an electronic mail from a hacker who claimed to have discovered one other safety vulnerability in its techniques.
Mr. Sullivan realized that the hacker and an confederate had downloaded the non-public information of about 600,000 Uber drivers and extra private info related to 57 million riders and drivers, in accordance with court docket testimony and paperwork. The hackers pressured Uber to pay them no less than $100,000.
Mr. Sullivan’s crew referred them to Uber’s bug bounty program, a means of paying “white hat” researchers to report safety vulnerabilities. This system capped payouts at $10,000, in accordance with court docket testimony and paperwork. Mr. Sullivan and his crew paid the hackers $100,000 and had them signal a nondisclosure settlement.
Throughout his testimony, one of many hackers, Vasile Mereacre, stated he was attempting to extort cash from Uber.
Uber didn’t publicly disclose the incident or inform the F.T.C. till a brand new chief govt, Dara Khosrowshahi, joined within the firm in 2017. The 2 hackers pleaded responsible to the hack in October 2019.
States usually require corporations to reveal breaches if hackers obtain private information and a sure variety of customers are affected. There isn’t a federal regulation requiring corporations or executives to disclose breaches to regulators.
Federal prosecutors argued that Mr. Sullivan knew that revealing the brand new hack would lengthen the F.T.C. investigation and harm his status and that he hid the hack from the F.T.C.
“He took many steps to maintain the F.T.C. and others from discovering out about it,” Benjamin Kingsley, an assistant U.S. legal professional, stated throughout closing arguments on Friday. “This was a deliberate withholding and concealing of data.”
Mr. Sullivan didn’t reveal the 2016 hack to Uber’s common counsel, in accordance with court docket testimonies and paperwork. He did focus on the breach with one other Uber lawyer, Craig Clark.
Like Mr. Sullivan, Mr. Clark was fired by Mr. Khosrowshahi after the brand new chief govt realized concerning the particulars of the breach. Mr. Clark was given immunity by federal prosecutors in change for testifying in opposition to Mr. Sullivan.
Mr. Clark testified that Mr. Sullivan had advised the Uber safety crew that they wanted to maintain the breach secret and that Mr. Sullivan had modified the nondisclosure settlement signed by the hackers to make it falsely appear that the hack was white-hat analysis.
Mr. Sullivan stated he would focus on the breach with Uber’s “A Crew” of high executives, in accordance with Mr. Clark’s testimony. He shared the matter with just one member of the A Crew: the chief govt on the time, Travis Kalanick. Mr. Kalanick accepted the $100,000 fee to the hackers, in accordance with court docket paperwork.
Legal professionals for Mr. Sullivan argued that he had merely been doing his job.
They argued that Mr. Sullivan and others had used the bug bounty program and the nondisclosure settlement to stop consumer information from being leaked — and to determine the hackers — and that Mr. Sullivan had not hid the incident from the F.T.C.