A San Francisco jury found Uber’s former chief security officer, Joe Sullivan, guilty of criminal obstruction for failing to report a 2016 cybersecurity incident to authorities. Sullivan, who was fired from Uber in 2017, was found guilty on counts of obstruction of justice and deliberate concealment of felony, the Guardian reports. Sullivan worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught, said U.S. Attorney Stephanie Hinds. The case was being watched as an important precedent regarding the culpability of individual security staffers and executives when handling cybersecurity incidents, a concern that has grown at a time when reports of ransomware attacks have surged and cybersecurity insurance premiums have risen.
The case pertains to a breach of Uber’s systems that affected data of 57 million passengers and drivers.
The breach took place in 2016, but Uber disclosed it publicly only a year later. Public disclosures of security breaches are required by law in many states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay." Uber’s revelations led to several federal and state inquiries. In September 2018, Uber paid $148 million to settle claims by all 50 states and Washington, D.C., that it was too slow to disclose the hacking. The two hackers involved that year pleaded guilty to hacking Uber and then extorting Uber’s “bug bounty” security research program the next year.