In 2016, hackers emailed security expert Joe Sullivan and threatened to sell stolen information from Uber drivers and customers, in exchange for a large ransom. Instead of reporting it, federal prosecutors alleged that Sullivan covered up the breach. He paid the hackers 100 thousand dollars in Bitcoin in exchange for a non-disclosure agreement.
The four-week trial in a San Francisco District Court ultimately found Sullivan guilty this week of actively concealing a felony. But the verdict may have lasting implications in the world of cybersecurity.
Sullivan’s coverup of the breach set a new precedent for the responsibility of private-sector and executive-level staffers to handle the public’s private information. When cybersecurity attacks are at their highest rates in history -- and private companies are motivated to protect themselves from cybersecurity insurance costs -- who’s protecting the consumers?
In a press statement, U.S. Attorney for Northern California Stephanie Hinds wrote, “We expect technology companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers."
Sullivan and two hackers have been convicted. But it’s unclear what happened to the 57 million Uber users and 600 thousand driver's license numbers that were stolen in the breach.