Uber’s former chief security officer has been convicted of failing to tell US authorities about a 2016 hack of the company’s databases.
A jury in San Francisco found Joe Sullivan – fired from Uber in 2017 – guilty of obstruction of justice and concealing a felony.
Increasingly, companies negotiate with ransomware hackers.
But investigators said they must “do the right thing” when their systems are breached.
The conviction is a dramatic reversal for Sullivan, who had at one point in his career prosecuted cyber-related crime for the San Francisco US attorney’s office.
After Sullivan’s conviction his lawyer, David Angeli, said “Mr Sullivan’s sole focus, in this incident and throughout his distinguished career, has been ensuring the safety of people’s personal data on the internet,” the Washington Post reported.
But prosecutors said the case was a warning to companies.
“We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” US attorney Stephanie M Hinds said.
Ms Hinds accused Sullivan of working to hide the data breach from US regulator the Federal Trade Commission (FTC), adding he “took steps to prevent the hackers from being caught”.
At the time, the FTC was already investigating Uber following a 2014 hack.
When it was hacked again, the attackers emailed Sullivan and told him they had stolen a large amount of data, which they would delete in return for a ransom, according to the US Department of Justice (DOJ) .
Staff working for Sullivan confirmed data, including about 57 million Uber users’ records and 600,000 driving-licence numbers, had been stolen.
According to the DOJ, Sullivan arranged for the hackers to be paid $100,000 (£89,000) in bitcoin in exchange for them signing non-disclosure agreements to not reveal the hack to anyone,
The hackers were paid in December 2016, even though they had refused to provide their true names.
The payment was disguised as a “bug bounty”, a reward used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.
The Washington Post reported that the process enabled Uber to gather clues about the two hackers. The firm eventually identified the pair – both of whom have since been convicted of criminal offences – in January 2017 and required them to sign new agreements in their own names.
This conviction has sent shivers down the spines of many cyber-security executives.
With organised ransomware gangs, government-backed hacking teams and anarchist kids targeting companies, being a chief information security officer is already a daunting job.
Sullivan being personally convicted for a decision taken on behalf of his employer sets a scary precedent, some say.
For observers, the crimes Sullivan committed in 2016 also read as odd by today’s standards.
Negotiating with hackers and paying them to keep quiet is literally done every day now by corporations hit by ransomware gangs.
The key difference here, the jury found, is that Sullivan tried to cover it up.
Giving cyber-criminals what they want no longer carries the seriousness it once did, but companies, then and now, must always be transparent about how they respond to cyber-incidents that affect them and their customers.
The DOJ said that Sullivan “orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies”.
A new management team at Uber eventually reported the breach to the FTC in 2017 after carrying out their own investigation.
In 2018, Uber paid US states $148m to settle claims that it had been to slow to reveal the hack.
The verdict was a surprise to many working in computer security. At the time Sullivan had reportedly informed some senior figures at Uber about the threat.
The court also heard that internal legal advice had suggested that there was no need to disclose the hack if the attackers were identified, and agreed to delete the data and not spread it further.
Responding to the judgement, Dr Ilia Kolochenko, founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, wrote, “The Uber case is just another illustrative example of the unfolding global trend to hold cyber-security executives accountable for their companies’ data breaches.
“Serious misconduct, such as deliberate concealment of a data breach despite the regulatory requirement to report the breach to mitigate harm, may even entail criminal sanctions.”
Dr Kolochenko said cyber-security executives should urgently check that their employment contracts address issues such as coverage of legal fees in case of a civil lawsuit or prosecution in relation to their professional responsibilities. The contracts should also contain a guarantee that their employer will not sue them – as victimised companies may also do this in case of security incidents, she added.
Sullivan has not yet been sentenced, and may appeal against the judgement.