After a few days of deliberation, a jury of six men and six women reached a decision to convict Joe Sullivan, Uber’s former head of security. The defined crime is obstructing the investigation of federal regulators by hiding a massive data leak. As such, it is possible that the individual is the first executive to be prosecuted for a hack crime.
In all, two breaches in the travel company’s security occurred in 2016. However, federal investigators were only aware of the first. According to information released by the Ars Technicaas soon as Joe Sullivan found out about the second attack, he tried to disguise the event.
The way the executive found to do this was to pay the sum of $100K to the hackers, through a program to detect failures called “bug bounty”. In this way, he was able to pretend that the second leak had been a test planned by Uber. In addition, Sullivan asked the criminals to sign a confidentiality agreement.
All this to not bring more headache and embarrassment to the brand.
However, a year after the attacks, the company communicated what had happened to the public. That’s because many US states require by law that security breaches be disclosed. The discovery was made internallybut the Bloomberg ended up reporting the payment to hackers.
From there, company officials accused Joe Sullivan of hiding information, but they also took responsibility for the fact.
While still subject to appeal, the ex-boss can face 8 years in prison (five years for obstruction and three for knowing about a crime and not reporting it).
Finally, according to David Angeli, one of the lawyers for the former travel brand executive:
While we obviously disagree with the jury’s verdict, we appreciate your dedication and effort in this case. The sole focus of Mr. Sullivan – in this incident and throughout his distinguished career – has been ensuring the security of people’s personal data on the Internet.
Massive breach occurred in 2016
To date, this is the biggest data breach that has happened at Uber since its founding in 2009. About 57 million driver and customer data has been compromised, from email addresses to phone numbers.
However, information such as credit card numbers were not affected, according to the company statement.
CEO Dara Khosrowshahi questioned the company’s decisions at the time:
You might be asking why we’re talking about this now, a year later. I had the same question so I immediately asked for a full investigation of what happened and how we dealt with it..
As a result, the Uber was fined $148 million after covering up the leak of customer and partner data.