A San Francisco jury has found Uber Technology Inc.’s /zigman2/quotes/211348248/composite UBER -1.43% former chief security officer Joseph Sullivan guilty of criminal obstruction charges for failing to report a 2016 cyber intrusion to federal authorities.
The case was closely watched as a rare instance of a senior cybersecurity executive facing criminal consequences for a decision not to disclose a hacking incident.
The verdict, delivered Wednesday in U.S. federal court, followed a three-week trial. Sullivan now faces a five-year prison sentence on the obstruction charge and as many as three years in prison on a second charge of failing to report a felony.
The case placed a spotlight on the sometimes gray areas that cybersecurity teams navigate as they respond to hacking incidents. Sulilvan’s lawyers had argued that their client had ultimately protected about 57 million Uber customer records in 2016, when they were accessed by an anonymous hacker who demanded a $100,000 payment. The money was eventually paid as a “bug bounty” by Sullivan’s team.
Prosecutors claimed that the payment was an attempt by Sullivan to cover up the incident and that he took steps to prevent it from being reported to the Federal Trade Commission, which was investigating Uber’s cybersecurity practices over an earlier breach at the time.
Also popular on WSJ.com: