Twisted Cyber Case Finds Former Uber Security Chief Guilty of Data Breach Coverup
The conviction of former Uber Chief Security Officer Joseph Sullivan may pose a chilling reassessment of how chief information security officers (CISOs) and the security community handle network breaches going forward.
A San Francisco federal jury on Oct 5. convicted Sullivan of failing to tell U.S. authorities about a 2016 hack of Uber’s databases. Judge William H. Orrick did not set a date for sentencing.
Federal prosecutors noted that the case should serve as a warning to companies about how they comply with federal regulations when handling their network breaches.
Officials charged Sullivan with working to hide the data breach from U.S. regulators and the Federal Trade Commission, adding his actions attempted to prevent the hackers from being caught.
At the time, the FTC was already investigating Uber following a 2014 hack. The repeat hack into Uber’s network two years later involved the hackers emailing Sullivan about their stealing a large amount of data. According to the U.S. Department of Justice, they promised to delete the data if Uber paid their ransom.
The conviction is a significant precedent that has already sent shockwaves through the CISO community. It highlights the personal liability involved in being a CISO in a dynamic policy, legal, and attacker environment.
According to published trial accounts, Sullivan’s staff confirmed the extensive data theft. It included 57 million Uber users’ stolen records and 600,000 driver’s license numbers.
The DoJ reported that Sullivan sought the hackers’ agreement to be paid U.S. $100,000 in bitcoin. That agreement included hackers signing a non-disclosure agreement to keep the hack from public knowledge. Uber allegedly hid the true nature of the payment as a bug bounty.
Critical Unanswered Questions
More CISOs are expected to negotiate Directors and Officers insurance into their employment contracts. That type of policy offers personal liability coverage for decisions and actions the CISO might take, he explained.
“CISOs must effectively communicate risks to the company’s leadership team but should not be solely responsible for cyber security risks,” he said.
Sullivan’s conviction is an ironic role reversal of sorts. Earlier in his law career, he prosecuted cybercrime cases for the United States Attorney’s Office in San Francisco.
The DoJ’s case against Sullivan hinged on obstructing justice and acting to conceal a felony from authorities. The resulting conviction could have a long-term impact on how organizations and individual executives approach cyber incident response, particularly where it involves extortion.
Prosecutors argued that Sullivan actively concealed a massive data breach. The jury agreed unanimously with the charge beyond a reasonable doubt.