Uber’s former security chief convicted of data hack coverup

Uber Technologies Inc.’s former security chief was convicted of concealing a massive data breach in a case that prosecutors tied to the company’s troubled past under its original leadership.

Joe Sullivan was found guilty in federal court in San Francisco on Wednesday by a jury that rejected his claim that other executives at the ride-hailing giant were aware of the 2016 hack and were responsible for it not being disclosed to regulators for more than a year.

The trial featured almost four weeks of testimony that explored cybersecurity management as well as a shakeup at Uber in 2017 when a series of scandals drove co-founder Travis Kalanick out as chief executive.

Sullivan was convicted of both charges against him, obstructing a government investigation and concealing the theft of personal data of 50 million customers and 7 million drivers.

Sullivan, a former federal prosecutor who previously headed security for Facebook, is well known for his expertise in the field in Silicon Valley. He faces as much as eight years in prison, though his sentence probably will be far less.

“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case. Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” said David Angeli, a lawyer for Sullivan. “We will evaluate next steps in the coming days.”

Companies are required under state and federal laws to promptly disclose data breaches. Uber’s mishandling of the 2016 attack on its servers resulted in the company paying $148 million in a settlement with all 50 states, which at the time was the biggest data-breach payout in U.S. history. Uber had previously been reprimanded by the Federal Trade Commission over a similar data breach in 2014.

Sullivan was accused of actively covering up the hack.

Prosecutors alleged that he quietly arranged for the company to pay the hackers $100,000 in bitcoin to delete the stolen data under the guise of a program used to reward security researchers for identifying vulnerabilities, known as a “bug bounty.” In return, the two hackers agreed not to…