Uber former CISO was recently convicted and found guilty of concealing a data breach from the FTC. This marks the first time a senior executive has been found guilty for concealing an incident from regulators, sending chills down many cybersecurity executives’ spines.
Joe Sullivan was charged with two counts of obstruction and misprision for concealing the theft of 57 million rider records from Uber as well as a second hack that affected 600,000 driver license numbers. These actions formed part of an ongoing investigation by the Federal Trade Commission into previous data breaches at Uber.
Jury Decision
Former Uber CISO Convicted
A jury has found former Uber cybersecurity chief Joe Sullivan guilty of federal charges for trying to cover up a massive data breach at the ride-hailing company. Sullivan was found guilty of one count of obstruction and one count of misprision of a felony, both related to his attempt at concealing the hack.
Sullivan is accused of aiding in concealing Uber’s 2016 hack, which resulted in the theft of personal information from 57 million riders and drivers. Furthermore, Sullivan obstructed an investigation by the US Federal Trade Commission into his activities.
This case attracted considerable interest among cybersecurity professionals, as it marked the first time an individual had been prosecuted in America for a data breach. The verdict was seen as an important milestone that clarifies responsibility for individuals in security roles and could have detrimental repercussions for both companies and cybersecurity pros alike.
In addition to Sullivan’s criminal conviction, the case sparked several controversial issues. Notably, he failed to disclose the breach to Uber’s then-CEO Travis Kalanick or lawyers overseeing its Federal Trade Commission investigation into it.
According to the jury’s verdict, Sullivan had been working on another FTC inquiry when he learned in November 2016 that hackers were threatening to reveal Uber data breach to the public unless he paid ransom. To conceal their theft of Uber data, Sullivan paid $100,000 and also had them sign a nondisclosure agreement which hindered their public disclosure, court documents state.
This was done to pass off the ransom payment as a bug bounty award, which rewards security researchers for reporting vulnerabilities. Typically, such programs had maximum payouts of $10,000.
In 2020, Sullivan’s actions sparked an investigation by the Federal Trade Commission into whether he and other Uber officials had broken privacy laws by concealing a data breach. The agency filed charges against Sullivan in 2020 for alleged obstruction and misprision of a felony offense.
Prosecutor’s Opening Statement
Uber’s former Chief Security Officer Joe Sullivan was found guilty of obstruction of justice and misprision of a felony for orchestrating the cover-up of a data breach that compromised 57 million passengers and drivers’ personal information. This conviction marks the first time an executive has been prosecuted for concealing a cybersecurity incident from regulators, according to US attorney who brought the case.
In 2015, Uber hired Sullivan to strengthen their data security after an earlier breach. In May of that same year, the Federal Trade Commission issued a detailed Civil Investigating Demand against them seeking extensive details about data breaches and overall security practices.
Two months later, Sullivan discovered a second data breach had taken place in October 2016. He learned from subordinates that hackers had stolen the personal information of 57 million users and 600,000 drivers. According to court documents, Sullivan paid $100,000 in bitcoin as payment for deleting their data; however, he also concealed this breach from FTC and Uber attorneys involved with their investigation, according to prosecutors.
A jury found Sullivan guilty of two counts of obstruction of justice and one count of misprision of a felony, stemming from his decision to pay hackers and arrange for them to sign non-disclosure agreements that falsely represented they did not take or store any of Uber’s personal information.
Furthermore, Sullivan concealed the fact that he was paying hackers under the guise of a bug bounty program that rewards white hat security researchers for finding vulnerabilities in computer programs. He concealed this fact from both his employers and the Federal Trade Commission (which was investigating an identical data breach from 2014), according to the lawsuit.
Last summer, Sullivan served as the head of Uber’s cybersecurity team until being replaced by Dara Khosrowshahi with promises to improve the company’s image. Sullivan’s charge against him dealt a severe blow to Uber’s reputation as a secure place for consumers to ride, raising questions about whether CISOs should be held personally liable for security incidents.
Jury Verdict
The former CISO of Uber, Joe Sullivan, has been convicted of obstruction of justice and misprision of a felony in a trial over his role in covering up the 2016 data breach at the ride-hailing company. The conviction marks the first criminal prosecution of a senior cybersecurity executive for how he handled a cyber incident, and is being watched as an important precedent in a global trend to hold security staffers and executives accountable for handling incidents that may cause harm.
According to the government’s evidence, Sullivan lied to Uber’s new CEO and its outside lawyers about how he handled the breach in a bid to prevent Uber from disclosing information to its new management. He also falsely claimed that the hackers had only been paid after they were identified and that he deleted a draft summary prepared by one of his reports that stated that they had been responsible for personally identifying information and a very large quantity of user data.
Moreover, the alleged coverup of the data breach occurred despite laws that require companies to report security breaches to customers and regulators in the most expedient time possible. Sullivan only told a small group of Uber’s “A-Team” of top executives about the hack, while keeping other employees in the dark.
Experts from the law firm Alston & Bird say the Sullivan verdict is an important precedent that will likely have a significant impact on how companies respond to cybersecurity incidents. Specifically, they suggest that incident response counsel send a “rules of the road” email to all company attorneys working on the investigation, stressing that privilege must be maintained and that no information about the investigation should be shared with company employees who are not involved in the response.
Similarly, Dr Ilia Kolochenko, founder of ImmuniWeb and member of the Europol Data Protection Experts Network, says that the Sullivan case is just the beginning of a global trend to hold cyber-security executives accountable for how they handle cybersecurity incidents. She advised that security executives should urgently check their employment contracts to ensure they have protection from legal fees in the event of a civil lawsuit or prosecution in relation to their professional responsibilities.
Sentencing
Uber has long had a stellar reputation for cybersecurity. Unfortunately, that reputation took a serious hit last October when former Chief Information Security Officer (CISO), Joe Sullivan, was found guilty of covering up a data breach that exposed 57 million riders and drivers’ personal details.
Sullivan’s conviction has sent chills down the spines of cybersecurity professionals. It illustrates how easy it is for executives to become “sacrificial lambs” when hackers attack.
This conviction could have a major influence on the future of cyber-security jobs, particularly for those in the role of Chief Information Security Officer (CISO). For starters, it raises serious questions about whether CISOs should be allowed to conceal breach information that legally must be disclosed under privacy protection laws.
Furthermore, if a CISO is found guilty of hindering or concealing a breach, their employment in the cybersecurity field could be permanently compromised. This poses an especially grave problem since CISOs often need to collaborate with CEOs and company boards in order to obtain funds for protecting their organization’s assets.
Furthermore, executives found guilty of obstructing or concealing breach information can face fines and even jail time. This issue is particularly troubling for many CISOs, especially those working outsourced or using the fractional CISO model.
Another pressing concern is how CISOs should handle a breach. Unfortunately, many CISOs struggle to reach consensus with their company’s board or CEO, as evidenced by Uber’s case.
A jury found Sullivan guilty of obstruction of an investigation by the Federal Trade Commission and misprision of a felony in relation to his cover-up of a data breach. This marked the first time ever that a senior executive has faced criminal charges regarding a cybersecurity incident.
Prosecutors claimed Sullivan knew about the 2016 breach and covered it up to avoid FTC scrutiny. They further charged that Sullivan made payments to two hacker groups for keeping quiet about it, including paying them $100,000 in bitcoin and making them sign non-disclosure agreements falsely claiming no information had been stolen. This payment was made through Uber’s “bug bounty” program, where ethical hackers report security flaws and receive rewards.
