Jury Finds Former Uber CSO Joe Sullivan Guilty of Cover-UpSullivan Faces Up to 8 Years in Prison and $500,000 in Fines
A federal jury found former Uber security chief Joe Sullivan guilty of two felonies after a four-week trial in San Francisco.
The jury agreed with U.S. prosecutors who charged Sullivan, 53, in a criminal complaint with "a scheme to withhold and conceal" a 2016 data breach affecting tens of millions of Uber account holders.
The trial was a landmark, likely marking the first time a chief security officer has faced criminal charges over an incident response.
"This is a case about cover-up, about payoff and about lies," Andrew Dawson, an assistant U.S. attorney in the Northern District of California, told the court in his opening argument, The Wall Street Journal reported.
Sullivan faces up to eight years in prison and $500,000 in fines, a stark reversal of fortune for a man who held senior cybersecurity positions at Facebook and Cloudflare and earlier in his career was a pioneering cybercrime prosecutor with the Department of Justice. The jury found him guilty of obstruction and misprision of a felony, which refers to knowing something is a felony and covering it up.
"I don't think there's any rush for picking a sentencing date," said Judge William Orrick shortly before adjourning court.
The 2016 security incident affecting 57 million account holders and the driver's license numbers of 600,000 drivers didn't come to light publicly until November 2017, after Uber's new management team learned about the particulars and its board of directors probed the response. Dara Khosrowshahi, who'd taken over as chief executive from co-founder Travis Kalanick, ordered that all affected users and the Federal Trade Commission be notified.
Sullivan's crime wasn't that a breach happened on his watch but that he obstructed an ongoing federal investigation by the Federal Trade Commission into Uber's data security practices in the wake of an earlier data breach in 2014. A superseding indictment added three counts of wire fraud related to the hacker payoff, made under the guise of a bug bounty reward. Shortly before the trial began, prosecutors agreed to dismiss the wire fraud charges, which carried the prospect of decades in prison in the event of a guilty verdict.
Khosrowshahi fired Sullivan in November 2017, along with in-house attorney Craig Clark, who oversaw a $100,000 bitcoin payment made to two hackers who stole Uber account data. Clark testified against Sullivan under an agreement of immunity. The hackers, two men in their 20s, pleaded guilty in 2019 to making extortion demands to companies including Uber and LinkedIn. They accessed Uber data by using stolen GitHub credentials to access a private Uber code repository containing an access key to the company's Amazon Web Services account.
The 2016 breach occurred just days after Sullivan testified to the FTC that Uber under his watch fixed problems revealed by the 2014 breach, which also involved an AWS access key posted to the company GitHub repository. At the time, the repository was open to the public. "You can see him realizing, 'Oh, no, this is exactly the sort of thing we told the FTC wouldn't happen anymore,'" Assistant U.S. Attorney Ben Kingsley told the jury in closing arguments, Courthouse News Service reported.
Earlier this year, Uber admitted guilt as part of a non-prosecution agreement (see: Uber Admits Covering Up 2016 Data Breach, Avoids Prosecution). The agreement states that Sullivan took steps to keep knowledge of the data breach tightly controlled and that Uber attorneys communicating with the FTC weren't told of the breach, even as they represented the company's security practices as being much improved since 2014.
In 2018, the company settled for $148 million an investigation led by states attorneys general into the data breach. That same year, it entered into a two-decade consent agreement with the FTC prohibiting it from misrepresenting safeguards for consumer data and charging the company with maintaining a privacy program. A company official told Congress in 2018 that Uber had stopped using GitHub as a repository for proprietary code and instituted restrictions on access to its cloud storage accounts, including multifactor authentication and IP address whitelisting.
Closely Watched Case
The case has been closely watched by the information security community in part because of Sullivan's stature and reputation for advancing cybersecurity practices.
Before Uber, Sullivan served as a federal prosecutor and then CSO of Facebook for five years. He was a commissioner on President Barack Obama's Commission on Enhancing National Cybersecurity, which recommended ways to improve the nation's cybersecurity. Post-Uber he served as CSO of Cloudflare, although he stepped down in July to prepare for the trial.
The case against Sullivan was especially notable, according to Mark Rasch, of counsel to the law firm of Kohrman Jackson & Krantz, because it was "the first instance in which a CSO or CISO has been personally held responsible - other than by firing - for a data breach response, and the first time that criminal sanctions of any kind have been sought against the corporate victim of a data breach for ... mishandling the data breach itself."
One question posed by CSOs in the wake of the charges filed against Sullivan was whether they might now be held personally liable for how they handle security incidents, rather than simply fired if things go wrong, as is typical.
Many in the cybersecurity community have voiced support for Sullivan, and Jamil Farshchi, CISO at Equifax, cautioned in a LinkedIn post against "tribalism." He said that Uber had clearly and inappropriately concealed a major breach and that Sullivan was involved in the concealment.
"What Sullivan did was wrong. Really wrong," Farshchi wrote. "There very well may have been others involved. And if so, they too should be held to account."
Who's Responsible for Data Breach Reporting?
Before the trial began, a spokesman for Sullivan said every action taken by Sullivan and his breach response team involved close collaboration "with legal, communications and other relevant teams at Uber, in accordance with the company's written policies."
No one else involved in Uber's response has been charged in connection with the data breach or alleged cover-up.
Sullivan's defense rested in part on his contention that the company's legal team has responsibility for deciding when to make a breach notification.
On Sept. 20, attorney Randall Lee testified that Sullivan in late September 2017 told him that disclosure to the FTC was a legal decision outside his purview. Lee, a former partner at law firm Wilmer Cutler Pickering Hale and Dorr, was part of a team brought in by Uber's board of directors to review the company response to the 2016 breach.
"If we couldn't contain, it's legal's job to decide," Lee said Sullivan told him, based on his notes, Courthouse News Service reported.
Other CISOs have questioned that approach. "Call me old-fashioned if you like, but legal's role is generally to provide advice to the executive(s) who make the decision," Ian Thornton-Trump, CISO of Cyjax, said via Twitter. "Trying to pin this decision on your legal team sounds like a move to avoid any sort of accountability for the executive decision made."