Joe Sullivan, the former Uber security chief, was found guilty on Wednesday by a jury in federal court on charges that he did not disclose a breach of customer and driver records to government regulators.
In 2016, while the Federal Trade Commission was investigating Uber over an earlier breach of its online systems, Mr. Sullivan learned of a new breach that affected the Uber accounts of more than 57 million riders and drivers.
The jury found Mr. Sullivan guilty on one count of obstructing the F.T.C.’s investigation and one count of misprision, or acting to conceal a felony from authorities.
The case — believed to be the first time a company executive faced criminal prosecution over a hack — could change how security professionals handle data beaches.
“The way responsibilities are divided up is going to be impacted by this. What’s documented is going to be impacted by this. The way bug bounty programs are designed is going to be impacted by this,” said Chinmayi Sharma, a scholar in residence at the Robert Strauss Center for International Security and Law and a lecturer at the University of Texas at Austin School of Law.
Mr. Sullivan’s trial concluded on Friday, and the jury of six men and six women took more than 19 hours to reach a verdict.
Andrew Dawson, an assistant U.S. attorney, declined to comment on the verdict. Mr. Sullivan’s lawyer and Uber did not immediately respond to requests for comment
Mr. Sullivan was deposed by the F.T.C. as it investigated a 2014 breach of Uber’s online systems. Ten days after the deposition, he received an email from a hacker who claimed to have found another security vulnerability in its systems.
Mr. Sullivan learned that the hacker and an accomplice had downloaded the personal data of about 600,000 Uber drivers and additional personal information associated with 57 million riders and drivers, according to court testimony and documents. The hackers pressured Uber to pay them at least $100,000.
Mr. Sullivan’s team referred them to Uber’s bug bounty program, a way of paying “white hat” researchers to report security vulnerabilities. The program capped payouts at $10,000, according to court testimony and documents. Mr. Sullivan and his team paid the hackers $100,000 and had them sign a nondisclosure agreement.
During his testimony, one of the hackers, Vasile Mereacre, said he was trying to extort money from Uber.
Uber did not publicly disclose the incident or inform the F.T.C. until a new chief executive, Dara Khosrowshahi, joined in the company in 2017. The two hackers pleaded guilty to the hack in October 2019.
States typically require companies to disclose breaches if hackers download personal data and a certain number of users are affected. There is no federal law requiring companies or executives to reveal breaches to regulators.
Federal prosecutors argued that Mr. Sullivan knew that revealing the new hack would extend the F.T.C. investigation and hurt his reputation and that he concealed the hack from the F.T.C.
“He took many steps to keep the F.T.C. and others from finding out about it,” Benjamin Kingsley, an assistant U.S. attorney, said during closing arguments on Friday. “This was a deliberate withholding and concealing of information.”
Mr. Sullivan did not reveal the 2016 hack to Uber’s general counsel, according to court testimonies and documents. He did discuss the breach with another Uber lawyer, Craig Clark.
Like Mr. Sullivan, Mr. Clark was fired by Mr. Khosrowshahi after the new chief executive learned about the details of the breach. Mr. Clark was given immunity by federal prosecutors in exchange for testifying against Mr. Sullivan.
Mr. Clark testified that Mr. Sullivan had told the Uber security team that they needed to keep the breach secret and that Mr. Sullivan had changed the nondisclosure agreement signed by the hackers to make it falsely seem that the hack was white-hat research.
Mr. Sullivan said he would discuss the breach with Uber’s “A Team” of top executives, according to Mr. Clark’s testimony. He shared the matter with only one member of the A Team: the chief executive at the time, Travis Kalanick. Mr. Kalanick approved the $100,000 payment to the hackers, according to court documents.
Lawyers for Mr. Sullivan argued that he had merely been doing his job.
They argued that Mr. Sullivan and others had used the bug bounty program and the nondisclosure agreement to prevent user data from being leaked — and to identify the hackers — and that Mr. Sullivan had not concealed the incident from the F.T.C.