Sullivan was found guilty on two counts: one for failing to report the event to the authorities and the other for misprison. He may spend a maximum of five years in jail on the obstruction charge and three years in jail on the other.

U.S. Attorney Stephanie M. Hinds stated in a press release that 'technology corporations in the Northern District of California capture and store massive amounts of data from customers.'

'When such data is stolen by hackers, we expect those organisations to protect that data and to notify customers and the relevant authorities. Sullivan actively worked to keep the Federal Trade Commission from learning about the data theft and took measures to keep the hackers from being apprehended.'

Two hackers gained unauthorised access to Uber's database backups in 2016, which led to the ride-hailing company paying a $100,000 ransom in secret to have the information stolen deleted in December of that same year.

In an effort to pass off the break-in as a bug bounty prize, Uber also made the extortionists sign a non-disclosure agreement. The backups included information from 7 million drivers and 50 million Uber passengers.

Further complicating matters, the event happened when the Federal Trade Commission (FTC) and the US Justice Department were already looking into the business for a different data breach that occurred on May 13, 2014.

Following a possible compromise of one of the encryption keys, Uber disclosed in February 2015 that one of its databases had been inappropriately accessed, exposing the identities and licence numbers of around 50,000 drivers. On September 14, 2016, the incident was found.

The FTC stated in 2018 that Uber 'compounded its misconduct by failing to notify the Commission that it suffered another data breach in 2016 while the Commission was investigating the company's strikingly similar 2014 breach.' This was done after misleading consumers about its privacy and security practises.

The defendant testified under oath about the various measures he claimed the firm had taken to secure user data on November 4, 2016, according to the DoJ, and this testimony was a key factor in Sullivan formulating Uber's response to the FTC over the 2014 incident.

Federal investigators also charged Sullivan with lying to Uber CEO Dara Khosrowshahi and the firm's outside attorneys who were looking into the 2016 incident, claiming the 'truth about the breach' was only discovered in November 2017.

Furthermore, Travis Kalanick, the former CEO and co-founder of Uber, who left the firm in June 2017, is alleged to have given his approval for Sullivan's approach to dealing with the unwanted incursion. Kalanick hasn't been put on trial.

The legal team for Sullivan said in a statement provided to The New York Times that his sole concern throughout the incident and his professional career has been to guarantee the 'protection of people's personal data on the internet.'

Despite the fact that the security lapses in 2014 and 2016 were mirror images of one another, Uber's systems were compromised a third time last month in a hack that it has subsequently associated with the LAPSUS$ criminal group.

In a separate settlement with the DoJ, Uber agreed to pay $148 million and create 'a corporate integrity programme, specific data security safeguards, incident response and data breach reporting policies, along with biennial' in July of last year.

According to FBI San Francisco Special Agent in Charge Robert K. Tripp, 'the message in today's guilty conviction is clear: firms hosting their customers' data have a responsibility to protect that data and do the right thing when breaches occur.'