Uber’s former head of security, Joe Sullivan, was found guilty in a federal court Wednesday of concealing a 2016 data breach for more than a year. A jury rejected Sullivan’s argument that other Uber executives were aware of the data breach and responsible for it not being publicly disclosed for over a year, according to Bloomberg.
Sullivan was convicted of obstructing justice by keeping the breach hidden from the Federal Trade Commission and actively hiding a felony by authorizing payments to the hacker responsible, according to the Washington Post.
The 2016 Uber hack exposed the personal data of 57 million drivers and users of the ride-sharing app, including names, email addresses and driver’s license numbers.
The hack occurred in October 2016 but wasn’t disclosed publicly until November 2017. Uber learned of the data breach in November 2016 and paid $100,000 for the cyber thief to delete the information.
In September 2018, Uber reached a settlement with all 50 US states and the District of Columbia to pay $148 million for failing to report the hack.
Uber didn’t immediately respond to a request for comment.
Uber was again breached by a cyber attacker last month, with Uber laying the blame on hacking group Lapsus$, which has breached Microsoft, Cisco, Samsung, Nvidia, Okta and Rockstar Games in 2022.
Uber said last month’s hack likely involved a contractor’s personal device becoming infected with malware when they accepted a verification notification, leading to their credentials becoming exposed. The employee’s credentials were then likely purchased from the dark web. Uber says no personal data was compromised.