US jury convicts former chief security officer for mishandling cybersecurity breach

On Wednesday, October 5, 2022, a federal jury in California unanimously convicted Joseph Sullivan, Uber's former Chief Security Officer, for his role in covering up and concealing a cybersecurity data breach in 2016 from the government during an investigation of a prior breach and his efforts in actively preventing its discovery, including internally. Sullivan was charged with (1) obstruction of justice and (2) misprision (concealment) of a felony. For these charges, Sullivan faces up to eight years in prison (five years for obstruction of justice and three years for the misprision charge) and hundreds of thousands of dollars in fines.

According to the government, in September 2014, Uber suffered a data breach resulting in the theft of personal identifiable information (PII) for approximately 50,000 drivers. In February 2015, Uber reported the breach to the Federal Trade Commission (FTC), which commenced an investigation into Uber's data security practices. In April 2015, Sullivan became Uber's Chief Security Officer and assisted the company in responding to the FTC's requests.

While the FTC's investigation was pending, and ten days after Sullivan provided testimony to the FTC, on November 14, 2016, Sullivan discovered that hackers had again accessed and downloaded the PII of 57 million customers' and drivers' data. Sullivan's team confirmed the breach within 24 hours and the next day, Sullivan discussed the breach with Uber's then-CEO.

The government alleged that Sullivan took steps to conceal the 2016 breach from both the FTC as well as to the persons whose PII were stolen. For example, over the next month, Sullivan arranged to pay US$100,000 in Bitcoin to the two hackers under Uber's "bug bounty" program on the condition that the hackers sign a non-disclosure agreement, which falsely represented that the hackers had not obtained sensitive data. The bug bounty program was a program in which a third-party intermediary arranged a payment to so-called "white hat" hackers who pointed out security issues but had not actually compromised any data.

Although Sullivan claimed that the payment to the hackers in conjunction with the NDA was a legitimate application of the bug bounty program, Sullivan disregarded an Uber employee who told him that the language in the NDA about no data having been compromised was false. Sullivan insisted that the language remain in the NDA. In addition, despite Uber's bug bounty program policy requiring knowledge of the identity of the hackers to be eligible for payment, the hackers initially refused to provide their true names and identity and Sullivan directed Uber to pay them anyway.

Uber personnel later identified the two individuals responsible for the breach in January 2017 and required them to execute new copies of the NDAs using their true names. Sullivan did not raise the details of the 2016 breach with new Uber management until September 2017, when he was asked to brief the new incoming CEO. According to the indictment, Sullivan briefed Uber's new CEO about the 2016 breach by email but edited the summary to remove key details and falsely stated that the payment had been made only after the hackers had been identified. Also, he allegedly misrepresented the 2016 breach as not a breach at all but simply an incident that was no more severe than any other security incident. After the new CEO found out, Uber disclosed the breach to the FTC and the public in November 2017. The new CEO then fired Sullivan as well as Uber's Legal Director of Security and Law Enforcement, who helped oversee Uber's response to the 2016 breach.

It is interesting to note that Sullivan is the only executive who had been indicted for the 2016 breach, even though others were clearly aware of and/or participated in overseeing the response to the breach and the hackers. The charges and conviction of Sullivan appear to be driven by Sullivan's active misrepresentations to management and the steps he took to conceal the data breach from Uber drivers and customers. In addition, the government's case focuses on the fact that Sullivan played a pivotal role in responding to the FTC inquiries about cyber security and had provided written responses to questions and sworn testimony to the FTC on a variety of topics during the pending 2014 data breach investigation. While the government does not allege that he made any material misrepresentations to the FTC, given Sullivan's role in the prior data breach investigation, it appears that the government believes he would have been the appropriate person to disclose the incident to the FTC, but chose not to do so and actively attempted to cover up its discovery.