Uber’s former chief security officer has been convicted of failing to tell US authorities about a 2016 hack of the company’s databases.
A jury in San Francisco found Joe Sullivan – fired from Uber in 2017 – guilty of obstruction of justice and concealing a felony.
Increasingly, companies negotiate with ransomware hackers.
But investigators said they must “do the right thing” when their systems are breached.
The conviction is a dramatic reversal for Sullivan, who had at one point in his career prosecuted cyber-related crime for the San Francisco US attorney’s office.
After Sullivan’s conviction his lawyer, David Angeli, said “Mr Sullivan’s sole focus, in this incident and throughout his distinguished career, has been ensuring the safety of people’s personal data on the internet,” the Washington Post reported.
But prosecutors said the case was a warning to companies.
“We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” US attorney Stephanie M Hinds said.
Ms Hinds accused Sullivan of working to hide the data breach from US regulator the Federal Trade Commission (FTC), adding he “took steps to prevent the hackers from being caught”.
At the time, the FTC was already investigating Uber following a 2014 hack.
When it was hacked again, the attackers emailed Sullivan and told him they had stolen a large amount of data, which they would delete in return for a ransom, according to the US Department of Justice (DOJ) .
Staff working for Sullivan confirmed data, including about 57 million Uber users’ records and 600,000 driving-licence numbers, had been stolen.
According to the DOJ, Sullivan arranged for the hackers to be paid $100,000 (£89,000) in bitcoin in exchange for them signing non-disclosure agreements to not reveal the hack to anyone,
The hackers were paid in December 2016, even though they had refused to provide their true names.
The payment was disguised as a “bug bounty”, a reward used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.
The Washington Post reported that the process enabled Uber to gather clues about the two hackers. The firm eventually identified the pair – both of whom have since been convicted of criminal offences – in January 2017 and required them to sign new agreements in their own names.
