Joe Sullivan, the former Chief Security Officer (CSO) of Uber, has been convicted of obstruction of proceedings of the Federal Trade Commission and misprision of felony in connection with the attempted cover-up of the hack Uber suffered in 2016.
Sullivan was named Chief Security Officer at Uber in April 2015.
“At that time, Uber had recently disclosed to the FTC that it had been the victim of a data breach in 2014,” the Department of Justice noted.
“In the wake of that disclosure, the FTC’s Division of Privacy and Identity Protection embarked on an investigation of Uber’s data security program and practices. In May 2015, the month after Sullivan was hired, the FTC served a detailed Civil Investigative Demand on Uber, which demanded both extensive information about any other instances of unauthorized access to user personal information, and information regarding Uber’s broader data security program and practices.”
On November 4, 2016, Sullivan testified before the FTC under oath, and delineated the steps Uber had taken to keep customer data secure.
“Exactly ten days after his FTC testimony, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly, via email, on November 14, 2016. The hackers informed Sullivan and others at Uber that they had stolen a significant amount of Uber user data, and they demanded a large ransom payment from Uber in exchange for their deletion of that data,” the DoJ added.
“The evidence demonstrated that, shortly after learning the extent of the 2016 breach and rather than reporting it to the FTC, any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC. For example, Sullivan told a subordinate that they ‘can’t let this get out,’ instructed them that the information needed to be ‘tightly controlled,’ and that the story outside of the security group was to be that ‘this investigation does not exist.’ Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack.”
According to the DoJ, “The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them.”
After Dara Khosrowshahi became CEO of Uber in August 2017, Sullivan “lied, falsely telling the CEO that the hackers had only been paid after they were identified and deleting from a draft summary prepared by one of his reports that the hack had involved personally identifying information and a very large quantity of user data. Sullivan lied again to Uber’s outside lawyers conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017.”
The two hackers – Brandon Charles Glover and Vasile Mereacrein – were prosecuted and pleaded guilty in 2019, but have yet to be sentenced. The latter recently testified in Sullivan’s trial.
Sullivan has been found guilty by a federal jury, and faces up to eight years in prison for the two charges.
Sullivan maintained throughout the trial that he omitted to disclose the breach to the FTC because the decision on when the breach should be disclosed was made by Uber’s legal department. But, so far, only Sullivan was charged in connection to this incident and its cover-up.
The trial has been followed closely by people in the cybersecurity community, and especially those occupying the CSO and CISO (Chief Information Security Officer) roles.
This conviction could be taken as a precendent and, hopfully, prevent C-suites from making the same choices. It could also make it difficult for companies to hire CSOs and CISOs.
I suspect that the balance will be that they can now refuse to do a lot of fishy stuff. And it might make the CEO think twice before pushing for the wrong idea: if you can’t ask your CSO to track down and “impress upon” an ex-employee certain things, maybe don’t start at all?
— Bertil Hatt (@bertil_hatt) October 6, 2022
Criminal verdicts make this an entirely different proposition. Esp when the lawyer that was intended to keep proposed courses of action within boundaries of what was permissible is granted immunity, whilst GC maintains plausible deniability.
— JD Work (@HostileSpectrum) October 5, 2022