A jury found Sullivan guilty of covering up a 2016 cyberattack where a hacker downloaded the personal information of more than 50 million people. The stolen information included names, email addresses, and phone numbers for more than 50 million riders and 7 million drivers.
The jury convicted Sullivan on two counts, one for obstructing justice and the other for misprision, which is concealing a felony from the authorities.
It is believed to be the first time a company executive has faced criminal prosecution.
Three counts of wire fraud were dismissed by prosecutors. Sullivan served as a security executive at other companies, including Facebook and Cloudflare, and, as the Post points out, in this case, he was pitted against the same San Francisco US attorney's office where he had previously worked prosecuting cyberattacks.
The hack itself was described by the prosecution in their original complaint, which pointed out that the FTC was already investigating the company over a previous hack. The trial began in September and as a result of the hack, some internal systems were temporarily taken offline.
Two outsiders were able to download its database backups after they were granted access to its Amazon Web Services. In exchange for the promise of deletion of the stolen information, the hackers agreed to pay a $100,000 ransom and treated as part of the company's bug bounty program. The company was hacked in 2019.
The chief security officer was not trusted by the CEO.
This is the first time a company executive has faced criminal prosecution over a hack. Sullivan's conviction could change the way companies respond to cyberattacks. Sullivan shared the details of the hack with Kalanick and the company's chief privacy lawyer. They said that he didn't reveal the true extent of the incident to the new CEO of the company.
Prosecutors argued that Sullivan didn't reveal the attack to protect his reputation as he was supposed to have improved the security of the company. Sullivan is facing up to eight years in prison, but is likely to have a shorter sentence.
The criminal case against Sullivan was settled with the prosecutors in July of this year, promising "full cooperation" in the case. On September 16th, he testified against him, saying that he couldn't trust his judgement anymore. In order to maintain a privacy program for 20 years, the FTC was promised by the company.
Sullivan's lawyers argued that his actions were taken to prevent a leak of users' data, that he informed the CEO and others who weren't charged for the incident, and that his team eventually identified the hackers and got them to sign a non-disclosure agreement. David Angeli, Sullivan's lawyer, told the Times that Sullivan's main focus has been to ensure the safety of people's data on the internet.