Former Uber CSO Joe Sullivan found guilty of concealing data breach
Note: There is no contractual indemnity clause that will cover criminal activity.
Former Uber Chief Security Officer (CSO) Joe Sullivan has been found guilty of covering up a security breach at Uber in 2016 during which hackers stole the personal data of 57 million Uber passengers’ and 600,000 drivers.
Sullivan was hired in 2015. He reported a 2014 breach prior to his appointment to authorities.
But when a second breach took place in 2016 he concealed it from federal investigators and paid off the hackers, disguising the payment as a legitimate bug bounty. The breach led to an FBI investigation.
"Technology companies in the Northern District of California collect and store vast amounts of data from users,” said U.S. Attorney Stephanie M. Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught."
She added on October 5: "We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
Uber CSO guilty verdict: Jury dismisses scapegoat claims
Uber had the two hackers (later also prosecuted) sign non-disclosure agreements (NDAs) even though it did not know their true names. When it later identified them in January 2017, it required them to execute new copies of the NDAs in their true names and emphasised that they were not allowed to talk about the hack to anyone else.
As the Department of Justice (DOJ) put it in its own statement on the case, published on October 5: “Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies”.
Sullivan's lawyers had argued that responsibility for reporting the incident had rested with Uber’s legal team and that Sullivan had, in fact, properly disclosed the incident to the legal team and others at the company.
They claimed in court that the former Uber CSO had been thrown under the bus by a new executive team wanting to make a decisive break with a turbulent past under former Uber CEO Travis Kalanick.
A jury dismissed that view, finding he obstructed justice, in violation of 18 U.S.C. § 1505, and that he committed misprision of felony (i.e., knew that a federal felony had been committed and took affirmative steps to conceal that felony), in violation of 18 U.S.C. § 4. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.
He remains free on bond pending sentencing.
See also: Uber CEO - "The goalposts have changed"
One former attorney turned IT consultant noted on Twitter: “Given that he's a former federal prosecutor, my first guess would be that a federal judge won't be too inclined toward leniency at sentencing.
“He betrayed the law. And his oath”.
(CISOs everywhere looking for contractual protection against such prosecution in future should note that there’s no contractual indemnity clause under the sun that will save you from criminal charges…)
Sullivan was charged in 2020 by the US Attorney’s Office in the Northern District of California.
As the US Department of Justice put it late Wednesday (October 5): “Shortly after learning the extent of the 2016 breach and rather than reporting it to the FTC [Federal Trade Commission], any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC.
Join your peers following The Stack on LinkedIn
“For example, Sullivan told a subordinate that they ‘can’t let this get out,’ instructed them that the information needed to be ‘tightly controlled,’ and that the story outside of the security group was to be that ‘this investigation does not exist’. Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack,” the DOJ said.
It added: “Uber paid the hackers $100,000 in bitcoin in December 2016.”
Six years after that breach, Uber’s security does not seem to have dramatically improved.
Just this September (2022) a hacker breached Uber’s Slack, G-Suite and AWS accounts amongst others. The company says it likely made the initial breach after buying a contractor’s credentials on the Dark Web.
Once in, they found an internal network share that contained Powershell scripts with privileged credentials that let them easily pivot to compromising Uber’s Duo (authentication), OneLogin, and even EDR systems.
Uber has not updated its statement on that severe breach since September 19.