Joseph Sullivan, former Uber security chief convicted of 2016 hacking cover up
Joseph Sullivan's conviction marks the first ever corporate executive to be convicted for a data breach
Sullivan joined Uber in 2015
He paid the hackers $100,000 in bitcoin to prevent them from revealing the hack
Uber's former security chief, Joseph Sullivan, was convicted on Wednesday for covering up a 2016 data breach by hackers leading to the leak of millions of customers' data.
Sullivan was convicted by a federal jury for obstructing justice and concealing knowledge of a federal felony, prosecutors said. He will remain free on bond pending sentencing and could face up to eight years of prison time, according to federal prosecutors.
U.S. Attorney Stephanie M. Hinds said in a statement that the concealment of important information by corporate executives would not be tolerated, and that their reputation was not more important than protecting their users' data.
The former security chief's conviction marks the first time that a company executive has been convicted of a data breach. Sullivan was hired by Uber in 2015. The following year in November, he received an email from the hackers, following which Uber employees confirmed that they had gained access to the records of 57 million users and 600,000 driver's licenses. Following the hack, Sullivan planned to hide the data breach from the public, especially at a time when Uber was already being investigated by the Federal Trade Commission for a smaller 2014 hack, according to prosecutors.
He allegedly told his subordinates that "the story outside of the security group was to be that ‘this investigation does not exist,'" according to the US attorney's office. As a result, Sullivan paid the hackers $100,000 in bitcoin in exchange for them to sign a non-disclosure agreement promising not to reveal the hack. Uber's lawyers who were involved with the FTC inquiry were not told, according to prosecutors.
Uber saw a shift in management in 2017, which led to the reveal of the hack. Earlier this year, the ride-hailing company decided to admit fault for the cover up in a bid to avoid being pressed with criminal charges.
In fact, just last month, the company saw another major data breach after a lone hacker accessed internal systems after convincing an Uber employee to hand over secure credentials. The hacker was impersonating a corporate IT employee over text messages.