Ex-Uber chief security officer found guilty of covering up 2016 data breach

SAN FRANCISCO – The ex-chief security officer of Uber Technologies Inc. has been convicted of covering up a 2016 data breach involving 57 million of the San Francisco-based ride-hailing company’s users, according to the U.S. Attorney’s Office.

A jury on Wednesday found Joseph Sullivan guilty of obstruction of justice and misprision of felony, or having knowledge that a federal felony was committed and taking steps to conceal that crime, prosecutors said in a statement. He faces up to five years for the obstruction charge and up to three years for the misprision charge.

According to the U.S. Attorney’s Office, Sullivan was hired as Uber’s chief security officer in April 2015. The company at the time had recently disclosed to the Federal Trade Commission that it had been the victim of a data breach in 2014. The breach related to the unauthorized access of 50,000 customers’ personal information.

The FTC subsequently opened an investigation into Uber’s data security program and practices. In May 2015, a month after Sullivan was hired, the federal agency served the company with a demand for information about any other instances of unauthorized access to user personal information, as well as information regarding its broader data security program and practices.

Prosecutors said Sullivan played a key role in Uber’s response to the FTC – he supervised its responses to the agency, participated in a presentation to the regulators in March 2016 and testified under oath on Nov. 6, 2016, regarding the company’s practices.

Ten days after he testified, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly via email on Nov. 14, 2016, and informed him and others at the company that they had stolen user data, according to the U.S. Attorney’s Office. The hackers also reportedly demanded a ransom to delete that data.

All told, the breach involved 57 million Uber users and 600,000 driver license numbers.

Prosecutors said Sullivan did not report the new data breach to the FTC, other authorities or users; he instead arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which they promised not to reveal…