Former Uber security chief Joseph Sullivan has been convicted in federal court for his role in the cover-up of the 2016 Uber data breach, in which payment was made to a hacker to keep the incident from being revealed to anyone outside of his security team. The breach involved the theft of mass amounts of sensitive personal information.
The cover-up Sullivan orchestrated was outed in 2017 when Uber appointed a new CEO and an internal investigation into the prior year’s data breach was initiated. He was convicted on charges of obstruction of justice and knowing concealment of a felony. Sentencing is forthcoming, but the maximum penalty for the combined charges could range up to eight years in prison.
Former Uber security chief faces potential prison time after concealing massive theft of personal data
The case centers on the 2016 Uber data breach that made headline news, but it also involves an earlier 2014 hacking incident that Sullivan had not been present for but had withheld information about from an FTC investigation.
Uber’s problems started in 2014, with a data breach that saw the records of about 50,000 drivers exposed (including driver’s license information). Uber disclosed this breach to the Federal Trade Commission (FTC), which initiated an investigation into the incident in 2015 and just a month after Sullivan was hired on as the company’s new security chief. This investigation included a “Civil Investigative Demand” requiring the company to share detailed information about both its security practices and any other unauthorized access to user information that might occur during the investigation.
When Sullivan testified to the FTC in November 2016 that he knew of no other incidents of this nature, he was likely being honest and forthcoming. However, just 10 days later hackers contacted him by email with claims of theft of the records of 57 million customers and drivers.
Members of the Uber security team working under Sullivan verified that the claim was legitimate. Sullivan quickly rallied the troops, instructing his team to not discuss the matter with anyone as he orchestrated a $100,000 bitcoin payment to the hackers to wipe the stolen data and keep the incident quiet. The identities of the hackers were unknown at the time, but Sullivan’s team apparently unmasked them in January 2017 and approached them again with non-disclosure agreements along with false statements that they did not take or store any personal data as part of the incident. Sullivan would later try to hide all of this by representing it as a submission to the Uber bug bounty program rather than a ransom payment.
The security chief not only failed to disclose the data breach to the FTC, but also actively concealed it from Uber’s legal team. At the time, that team was working on a preliminary settlement with the FTC for the 2014 data breach.
The ruse began to fall apart in August 2017, when Uber’s board voted to appoint Dara Khosrowshahi as the new CEO of the company. As part of a general housecleaning as new management settled in, questions were raised that unearthed evidence of the 2016 data breach. The security chief lied to the new CEO about it, claiming that personal information had not been stolen and that the hackers had only been paid after they had been identified. Outside lawyers were called in to investigate, and despite Sullivan’s attempts to lie to them as well the incident was fully exposed in November 2017 and promptly reported to the FTC by the company.
Additional evidence of the security chief’s scheme surfaced when the hackers were apprehended and pled guilty to the data breach in 2019. The hackers had also stolen about 55,000 passwords from e-learning site Lynda.com in late 2016. Sullivan remains free on bond pending sentencing but could face up to eight years in prison between the maximum possible sentences of the two charges.
Could the Uber verdict change how data breaches are handled?
The security chief’s verdict and punishment will establish something of a new legal precedent, as it is the first time an executive of a major tech company has been charged with personal criminal responsibility as part of a data breach.
The issue of choosing to make payments in ransomware and extortion cases has essentially been settled since the 2016 Uber breach, with the FBI formally declaring that while it does not support ransomware payments it will also not pursue cases against individuals that authorize them so long as they do not involve sanctioned entities. But there is an added element to the Sullivan case in that he knowingly misrepresented the facts and covered up evidence in a situation in which he and his company were legally obligated to report to the FTC.
While there is more in play in this case than a failure to disclose within a prescribed time window, Andrew Hay (COO at LARES Consulting) notes that this decision potentially spells trouble for well-meaning decision makers that opt to thoroughly investigate potential data breaches before going to regulators: “The biggest issue with a four day mandatory breach disclosure window is that not every breach can be understood, let alone resolved, within that window. Some investigations take months or years to wrap up. Also, if the FBI is involved, they keep their cards tight until they’ve concluded the incident. The last thing they’d want is for an organization to tip off the SEC that “something” has happened without knowing the full extent of the breach or those involved. There’s also a staffing concern – on both sides. To fulfill the windows, organizations would be required to staff more incident responders and perhaps even additional communications people to report the information. On the receiving end, the SEC would have to increase staff to handle the influx of reports. Who’s paying for that?”
At the very least this case will likely discourage any future attempts to get hackers to sign non-disclosure agreements as a remediation strategy, as this was a key piece of evidence the prosecution used to successfully argue that the incident was an intentional cover-up. Attempting to bury a data breach after the fact by convincing the hackers to claim it as a “bug bounty” is also off the table if prior communications are available to a court (the eventual $100,000 payment was also 10 times what Uber had authorized for bug bounties).
Casey Ellis, Founder and CTO at Bugcrowd, sees the decision as having major repercussions in the executive information security ranks going forward: “It’s a significant precedent that has already sent shockwaves through the CISO community. It highlights the personal liability involved in being a CISO in a dynamic policy, legal, and attacker environment. It begs for clearer policy at the Federal level in the United States around privacy protections and the treatment of user data, and it emphasizes the fact that a proactive approach to handling vulnerability information, rather than the reactive approach taken here, is a key component of resilience for organizations, their security teams, and their shareholders.”
An interesting side note to the case is that Sullivan reportedly informed scandal-plagued former CEO Travis Kalanick shortly after the 2016 breach happened, and that Kalanick signed off on his concealment plan. However, Kalanick is not being charged as Sullivan would not testify against him and insufficient written evidence exists to make a case.
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, believes that the decision may actually push companies to blame CISOs and expect them to take the fall when similar situations arise: “There are some general conclusions to draw. I’m concerned with the unintended consequences of this case. CISOs already have a challenging job, and the case outcome raises the stakes for “CISO scapegoating.” How might this impact the number of leaders willing to take on the potential personal liability of the CISO role? Could we see more whistleblower cases as we saw with Twitter? I expect to see more CISOs negotiating Directors and Officers insurance into their employment contracts. D&O insurance offers personal liability coverage for decisions and actions the CISO might take. In addition, in the same way that both the CEO and CFO became responsible for corruption on the heels of Sarbanes Oxley and the Enron scandal, CISOs shouldn’t be the only roles guilty in the event of wrongdoing around intrusions and breaches. CISOs must effectively communicate risks to the company’s leadership team but shouldn’t be solely responsible for cyber security risks.”
Christopher Hallenbeck, CISO of Americas at Tanium, sees this as unlikely to impact breach notification laws in any formal way but as a decision that clarifies what a CISO’s responsibility under the law is: “A change in reporting laws is unlikely to prevent what happened here. Sullivan was found guilty of actively taking steps to both hide the existence of the intrusion. With these breach notification laws in place he could have violated that law in a similar manner.If Uber’s then-President had ordered the coverup, and Sullivan internally agitated for disclosure, Sullivan wouldn’t have faced prosecution. CISOs aren’t automatically at risk, with or without a breach notification law. Their actions towards disclosure or concealment are what puts them in jeopardy.”
And Sounil Yu, Chief Information Security Officer at JupiterOne, sees this as an individual call to CISOs to review exactly where they legally stand in their organizations if such an incident should arise: “This case has set a terrible precedent that creates confusion around who should take liability for decisions during an incident response event. In this particular case, it was clear that Joe Sullivan coordinated his actions with the blessing of executive management, yet Joe was the one that ended up holding the bag. This is like court martialing a soldier but letting their commanding officer who gave the order go scot free. We CISOs will need to closely review our incident reporting policies (perhaps with our own personal attorney) to ensure that it is clear how and when liability for certain decisions are transferred to the firm or to other identified executives. Until there is greater clarity on who owns the liability, the net effect may be that CISOs will push to report more than the executive management may be comfortable with.”
