Enlarge image
Uber headquarters in San Francisco: concealed the data theft, paid 100,000 euros to the hackers
Photo: Eric Risberg/ dpa
The former Uber security chief was found guilty in San Francisco on Wednesday of trying to cover up a massive data breach.
In the 2016 incident, hackers obtained a great deal of information from the driver's database.
A federal court in San Francisco has now convicted Joseph Sullivan of obstructing justice and concealing knowledge of a crime.
He now faces up to eight years in prison.
Sullivan has been head of security at Uber since 2015.
In November 2016, hackers stole records of around 57 million users and drivers, as well as 600,000 driver's license numbers, according to prosecutors.
In response to the data leak, Sullivan devised a plan to hide the problem from the public and the Federal Trade Commission (FTC).
At this point, the FTC was already investigating another Uber hack from 2014.
According to the US Attorney's Office, Sullivan told his closest associates that "this can't get out" and that to the public, "this investigation doesn't exist."
It is said that he also kept the data theft secret from the Uber lawyers.
Instead, he organized a $100,000 payment in Bitcoin to the hackers.
In exchange, the hackers should sign a non-disclosure agreement, destroying the data and promising not to disclose the hack.
Uber had to pay a record fine
Sullivan's plan didn't work out: In 2017, a new Uber leadership began investigating the case and fired the security chief.
A confidant of Sullivan testified against assurances of immunity at the trial against him.
Uber was fined a record $148 million for covering up the hack.
The Uber hackers, two men from Canada and the United States, pleaded guilty to charges of computer fraud in 2019 and are now awaiting sentencing.
Screenshots shared with security researchers by one of the hackers suggest he had full access to the cloud-based systems where Uber stores sensitive customer and financial data.
Whether Uber built a more robust cybersecurity infrastructure after the incident is uncertain.
Just last month, a hacker penetrated the company's IT systems again.