Uber’s former security chief convicted of data hack cover-up as court rejected claims other executives were responsible

The trial featured almost four weeks of testimony that explored cybersecurity management as well as a shake-up at Uber in 2017 when a series of scandals drove co-founder Travis Kalanick out as chief executive officer.

Sullivan was convicted of both charges against him, obstructing a government investigation and concealing the theft of personal data of 50 million customers and 7 million drivers.

Sullivan, a former federal prosecutor who previously headed security for Facebook, is well-known for his expertise in the field in Silicon Valley. He faces as long as eight years in prison, though his sentence will likely be far less.

“While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case. Mr Sullivan’s sole focus – in this incident and throughout his distinguished career – has been ensuring the safety of people’s personal data on the internet,” said David Angeli, a lawyer for Sullivan. “We will evaluate next steps in the coming days.”

Companies are required under state and federal laws to promptly disclose data breaches. Uber’s mishandling of the 2016 attack on its servers resulted in the company paying US$148 million in a settlement with all 50 states, which at the time was the biggest data-breach payout in US history. Uber had previously been reprimanded by the Federal Trade Commission over a similar data breach from 2014.

“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Stephanie Hinds, US attorney for San Francisco, said in an emailed statement. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”