An Uber to Prison: Lessons Learned from a Convicted CSO

The fate of a former member of Uber’ C-suite should serve as a wake-up call for company stakeholders across industries. 

Earlier this month, Uber’s ex-chief security officer, Joseph Sullivan, was found guilty of obstruction of justice and concealment of a felony, and he is now staring down the barrel of a prison sentence that will likely range from 24 to 57 months. Sullivan’s troubles stem from his response to a data breach that Uber fell victim to back in November 2016, which placed at risk the personal information of nearly 60 million Uber individuals—drivers and customers alike. 

A Tale of Two Breaches 

Hackers penetrated Uber’s AWS S3 bucket in 2016 and then demanded a six-figure ransom to prevent the release of the stolen data online and ensuing publicity that the company suffered a massive data breach. 

As it turns out, when this demand was made, Uber was being investigated by the Federal Trade Commission in connection with another data breach that was discovered by Uber two years prior, in September 2014. That incident was reported to the FTC in February 2015 and Sullivan was an integral part of Uber’s subsequent response to and settlement negotiations in connection with the FTC’s related investigation. Of note, the FTC’s inquiry into the data breach of 2014 was ongoing at the time of the 2016 infiltration. In fact, just days before he learned about that second data breach, Sullivan provided testimony under oath to the FTC about the 2014 episode. 

More particularly, Sullivan had outlined to the FTC the steps Uber had taken to fix and improve the company’s security program in the wake of the 2014 incident, going so far as to claim that measures were put in place to prevent any additional breaches that targeted the same vulnerabilities. The 2016 breach proved this to be untrue, which is why Sullivan sought to hide the event from the FTC by paying the 2016 attackers $100,000 in bitcoins not only to prevent the release of the stolen data, but also to buy their silence while Uber was under the FTC’s microscope. 

 That payment was made through Uber’s bug bounty program as pretext for their ability to assert that a reportable data breach never occurred in 2016. In order to ensure their cooperation, the hackers were required to sign a nondisclosure agreement drafted by Sullivan and Uber’s in-house lawyer that included a false “promise” and statement that the hackers “did not take or store any data during or through [their] research.”  

Ultimately, In November 2017, new management within Uber ’s executive team divulged the 2016 data breach to the FTC, leading to Sullivan’s arrest by the FBI and ultimate prosecution and conviction. 

Lessons Learned 

There is much for company stakeholders and data security professionals to learn from Sullivan’s legal woes. But first, and important preface: merely failing to disclose a data breach is not, by itself, a crime. What Sullivan did to invite trouble was overtly obstructing a regulatory investigation into a cyber incident and actively concealing it from regulators. Which leads to lesson number one—data breaches and ransom payments should never be kept from governmental agencies or internal and external stakeholders. Instead, companies falling victim to cybercrime should immediately consult with outside counsel who can make the legal call to contact and notify law enforcement. 

Sullivan also ran afoul of the law by misusing Uber’s bug bounty program to cover up a data breach and a subsequent ransom payment. Without question, bug bounties are a critical tool to discover security and network vulnerabilities, but they must be used in adherence with specific policies that identify permissible activities and payment parameters. Thus, lesson number two— bug bounty programs should be leveraged in furtherance of legitimate security research and never to conceal evidence of a crime or a cybersecurity breach. 

Finally, the case against Sullivan demonstrates the clear emphasis law enforcement agencies and regulators are placing on (1) company disclosure obligations in the aftermath of cybercrimes, and (2) individual accountability of in-house counsel and IT for corporate misconduct. Stakeholders should understand that prosecution decisions as they pertain to a given organization are influenced by that entity’s history of compliance, its current compliance programming, the company’s proactive Incident Response Plan, and whether the organization has furnished prompt and complete disclosure of misconduct by individuals associated with its compliance program. Those in C-suites and on boards would be wise to seek outside counsel and act accordingly. 

Of course, should you have any questions, concerns or needs in terms of data security and incident response, the cyber pros at Michelman & Robinson are here to help.