The verdict is in for Uber’s former Chief Security Officer (CSO) Joe Sullivan, who was found guilty of all charges related to the 2016 Uber data breach cover-up.
A federal jury found Sullivan guilty of obstruction of justice and misprision, which is the deliberate concealment of one's knowledge of a treasonable act or a felony.
Sullivan now faces up to a total of eight years in prison—five for the obstruction of justice charge and three for misprision. A sentencing date has not been announced.
The prosecution opted to waive three additional counts of wire fraud charges related to the payments after the trail began, which saved Sullivan from facing a much longer sentence.
The trial and verdict have taken center stage in the security world, as this marks the first time a chief security officer has faced criminal charges stemming from incident response related activities.
About the 2016 Uber Breach and Cover-up
Uber found itself at the center of one of the largest, most high-profile cyber attacks in 2016 that resulted in the breach of personally identifiable information, including full names, contact information and nearly 600,000 driver license numbers of more than 55 million Uber users and seven million drivers.
The threat actors reportedly carried out the attack by obtaining access to Uber’s Amazon Web Server account through credentials stored on GitHub. They demanded $100,000 in exchange for deleting the stolen data.
Following the ransom demand, Sullivan made the decision to pay the full amount via bitcoin in exchange for the data being destroyed.
How Exactly Did Sullivan Break the Law?
While paying the ransom is never recommended or advised, it is not a federal crime. What is a crime is covering up the said payment, which Sullivan chose to do in an attempt to hide the nature of the breach.
Sullivan knowingly mispresented the ransomware payment as a bug bounty submission and had the attackers sign non-disclosure agreements. Bug bounty programs are commonplace among organizations and are designed to provide financial incentives for those who report vulnerabilities of products or services.
By portraying the breach and ransom payment as a bug bounty reward, Sullivan changed the narrative from a serious cybersecurity breach to a more benign group of helpful individuals being rewarded for exposing a critical vulnerability.
Sullivan knowingly concealed the breach from the Federal Trade Commission (FTC)and hid it from Uber CEO Dara Khosrowshahi, who went on to testify against Sullivan at trial.
The obstruction of justice charges that came afterward were due to Sullivan failing to amend his testimony to the FTC regarding Uber’s security conditions after learning of the 2016 breach.
Uber disclosed the incident and terminated Sullivan in November 2017. Additionally, Uber was hit with a $148 million penalty related to the cover-up in 2018 and agreed to 20 years of privacy audits.
Uber also acknowledged guilt as part of a non-prosecution agreement that stated that Sullivan took steps to keep knowledge of the data breach tightly controlled and that Uber attorneys communicating with the FTC weren't told of the breach, even though they represented the company's security practices as much improved since 2014.
Should Cybersecurity Executives Be Worried About the Sullivan Verdict?
The simple answer is no.
It is important to remember that Sullivan was not charged and convicted as a result of a breach happening under his leadership. He was charged and convicted due to his cover-up and false testimony, and obstructing an existing FTC federal investigation over Uber’s 2014 breach.
“We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” said U.S. Attorney Stephanie Hinds. “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught.”
Did You Know October is Cybersecurity Awareness Month?
In support of Cybersecurity Awareness Month 2022, the Schneider Downs cybersecurity team is introducing a library of cybersecurity resources to help keep cybersecurity top-of-mind every day—at home, in the office and everywhere in between.
The Schneider Downs cybersecurity practice consists of expert practitioners offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.