Uber’s ex-security chief gets probation for 2016 hack cover-up – CISOs react

Sentence for Joseph Sullivan causes debate.

On May 4, a judge sentenced Joseph Sullivan, the former chief security officer (CSO) at Uber, to three years’ probation and 200 hours of community service for covering up a 2016 cyberattack and obstructing a federal investigation. He must also pay a $50,000 penalty.

The evidence at trial established that while Sullivan was serving as the CSO, Uber was under investigation by the Federal Trade Commission (FTC) as a result of a data breach the company had suffered in 2014.

Sullivan was hired soon after the FTC investigation launched, and he participated in Uber’s response to that investigation, presenting to the FTC in March 2016 regarding Uber’s cybersecurity program and testifying under oath in November 2016. 

57 million records hacked

Ten days after his sworn FTC testimony, Sullivan learned that Uber had been hacked again. Furthermore, the hackers had exploited the same vulnerability that had led to the 2014 breach. Unlike the 2014 breach, however, the data stolen in 2016 was massive in scale and included records associated with approximately 57 million Uber users and drivers.

Despite having testified regarding that same security vulnerability and related issues 10 days prior, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC.

He arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone. Those contracts, drafted by Sullivan and a lawyer assigned to his team, falsely represented that the hackers did not take or store any data in their hack.

Information withheld

Thereafter, Sullivan continued to work with the Uber lawyers handling or overseeing the FTC investigation, including the General Counsel of Uber, but he withheld information about the breach from all of them.

In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO what had happened, Sullivan lied about the circumstances of the breach, including by telling the CEO and Uber’s outside counsel that the hackers did not steal any data.

The truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach to the public and to the FTC in November 2017. 

“If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison.”

US District Judge William Orrick

The judge in the case, US District Judge William Orrick in San Francisco, provided great insights into the reasons behind the penalty he meted out to Sullivan, which could have been far worse than probation.

The judge noted that Sullivan had spent part of his career trying to protect people from the sort of crime he later concealed (Sullivan had been a public prosecutor, working on cybercrime cases in the late 1990s) and that Sullivan’s steps, however ill-conceived, had succeeded in keeping the stolen data from being exposed.

But he also delivered this instructive note: “If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison. When you go out and talk to your friends, to your CISOs, you tell them you got a break not because of what you did – not even because of who you are – but because this was such an unusual one-off.”

Supporters and dissenters

Sullivan issued a statement following the ruling that expressed thanks to the court for putting so much time and thought into the decision. “I will forever be grateful to the hundreds of people who wrote and signed letters of support,” Sullivan said.

And the case certainly generated a lot of such letters – over 180 of them – many of them supportive of Sullivan. They were filed with the judge and asked that Sullivan be spared jail time; one of the letters bore the signatures of 40 current or former security executives.

Some CISOs pointed out that paying off hackers has become commonplace at businesses hit by ransomware, and other CISOs feared the ramifications of CISOs being charged with legal action when their companies were hacked. That could make the role unattractive to those otherwise qualified and interested in pursuing it.

But some others felt that the CISOs coming to his defense showed “tribalism,” that Sullivan did not do the lawful and right thing, and they pointed out that Sullivan himself admitted to being “a bad role model” in his statement at sentencing.