The Washington Post reports that a jury found Sullivan—a former prosecutor of cybercrimes for the San Francisco US attorney’s office—guilty of obstructing justice for not revealing the October 26, 2016, breach to the FTC; companies are required to disclose data breaches under state and federal laws. He was also found guilty of actively hiding a felony, or misprision.
The hackers were directed to Uber’s bug bounty program, but its maximum $10,000 reward didn’t satisfy the criminals, who wanted a six-figure sum in return for deleting the stolen info and keeping quiet about the incident. Already under FTC investigation over a similar 2014 breach, Uber agreed to a $100,000 payment in Bitcoin under the guise of it being a bug bounty payment. The two hackers were later arrested and pleaded guilty to hacking charges. The hack only became public knowledge in November 2017 when new CEO Dara Khosrowshahi disclosed it and fired Sullivan. Prosecutors claim Sullivan kept the breach hidden to protect his reputation. “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Stephanie Hinds, US attorney for San Francisco, said in an email to Bloomberg. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.” Sullivan faces up to eight years in prison but is reportedly likely to receive a much shorter sentence. Uber confirmed it suffered another data breach last month that could have been as bad as or worse than the 2016 incident. It was carried out by the same 18-year-old hacker behind the GTA 6 leak, who has since been arrested.