Former Uber Security Chief Found Guilty of Obstructing FTC Probe

The verdict, delivered Wednesday in U.S. federal court, followed a three-week trial. Mr. Sullivan now faces a five-year prison sentence on the obstruction charge and as many as three years in prison on a second charge of failing to report a felony.

The case placed a spotlight on the sometimes gray areas that cybersecurity teams navigate as they respond to hacking incidents. Mr. Sulilvan’s lawyers had argued that their client had ultimately protected about 57 million Uber customer records in 2016, when they were accessed by an anonymous hacker who demanded a $100,000 payment. The money was eventually paid as a “bug bounty” by Mr. Sullivan’s team.

Prosecutors claimed that the payment was an attempt by Mr. Sullivan to cover up the incident and that he took steps to prevent it from being reported to the Federal Trade Commission, which was investigating Uber’s cybersecurity practices over an earlier breach at the time.

Mr. Sullivan was fired by Uber in 2017 and charged by federal authorities three years later.

The case centered around Mr. Sullivan’s actions following a November 2016 cybersecurity incident that occurred while Uber was the subject of an FTC investigation. Anonymous hackers approached Uber, saying they had discovered a “major vulnerability” in Uber and obtained sensitive company data and demanded payment. The next month, Uber paid the hackers, using the bitcoin digital currency, and eventually tracked down their true identity and had them sign nondisclosure agreements.

With the hackers identified and bound by an NDA, Mr. Sullivan’s team felt that the stolen data was protected and the team classified the incident as a bug bounty incident rather than a data breach, his lawyer, David Angeli said during closing arguments on Friday.

Uber’s security team and “Mr. Sullivan believed that their customers’ data was safe and that this was not some incident that needed to be reported,” Mr. Angeli said. “There was no coverup and there was no obstruction.”

But Uber, already under investigation for mishandling customer data in 2014, didn’t inform the FTC of what happened. And Sullivan, according to prosecutors, didn’t inform key members of the legal team of the incident. He also took steps to prevent the fact that hackers had downloaded Uber’s data from being more widely known within the company, prosecutors said.

Uber’s chief executive at the time,

Travis Kalanick,

was aware of the incident, according to evidence presented during the trial. Mr. Kalanick stepped down under pressure from investors and was replaced by Uber’s current chief executive,

Dara Khosrowshahi.

Shortly after taking the reins, Mr. Khosrowshahi decided to look into the 2016 incident after ordering an investigation, he testified during the trial.

Ultimately, he learned that a significant amount of data had been downloaded from the hacker and that the hacker had been paid significantly more than Uber typically awarded for bug bounties, things that Mr. Sullivan had failed to tell him, Mr. Khosrowshahi said.

In November 2017, Mr. Khosrowshahi fired Mr. Sullivan. “I felt I couldn’t trust the man anymore,” he said.

The case captured the attention of cybersecurity professionals because it is extremely unusual for executives to face criminal charges following a hack, said Scott Shackelford, a professor of business law and ethics at Indiana University. “It wasn’t that long ago that it was pretty rare for senior leaders even to be fired in the aftermath of a breach,“ he said.

Lately, Washington has taken a more aggressive approach to policing the technology industry, Mr. Shackelford said. “This could be the first of many criminal prosecutions,” he said.

Write to Robert McMillan at [email protected]