On Wednesday, a jury found former Uber security chief Joe Sullivan guilty of hiding a massive data breach from federal regulators who were already investigating the ride-share company for a different breach. With that verdict, Sullivan has likely become the first executive to be criminally prosecuted over a hack, The New York Times reported.

A jury of six men and six women started deliberating last Friday. After 19 hours, they decided that Sullivan was guilty on one count of obstructing the Federal Trade Commission’s investigation and “one count of misprision, or acting to conceal a felony from authorities,” according to the Times.

Sullivan’s legal team did not immediately provide comment for Ars, but one of his lawyers, David Angeli, told NYT how Sullivan received the verdict. “While we obviously disagree with the jury’s verdict, we appreciate their dedication and effort in this case,” Angeli told the paper. “Mr. Sullivan’s sole focus—in this incident and throughout his distinguished career—has been ensuring the safety of people’s personal data on the Internet.”

When Sullivan first learned of the second data breach, he disguised the illegal activity by paying the hackers through Uber’s bug bounty program. Uber had just announced the program in March 2016 in coordination with HackerOne, a widely used security firm whose company values urge executives like Sullivan to “default to disclosure” and ask “why keep this private?” instead of “why make this public?” It took less than a year for Sullivan to use HackerOne’s bug bounty program as a way to avoid disclosing a hack.

Advertisement

HackerOne did not immediately respond to Ars’ request for comment. [Update: A HackerOne spokesperson told Ars, "HackerOne has made the executive decision not to comment."]

The Times report suggested that Sullivan’s conviction could change how all companies manage data breaches in the future.

Uber did not provide comment to NYT or Ars. Previously, an Uber spokesperson directed Ars to a blog post in which Uber CEO Dara Khosrowshahi discussed how the company had updated security practices since Sullivan’s cover-up was exposed. Those efforts included consulting with an external cybersecurity expert on how to restructure Uber’s security team and how to implement processes to prevent leadership from making the same mistake again.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi wrote in 2017. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

The Times included a statement in its report from Stephanie M. Hinds, the US attorney for the Northern District of California, where Sullivan’s case was heard, suggesting that Sullivan should serve as an example of how not to handle a hack.

“We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” Hinds said. “Where such conduct violates the federal law, it will be prosecuted.”