The verdict is in for Uber’s former Chief Security Officer (CSO) Joe Sullivan, who was found guilty of all charges related to the 2016 Uber data breach cover-up.
A federal jury found Sullivan guilty of obstruction of justice and misprision, which is the deliberate concealment of one’s knowledge of a treasonable act or a felony.
Sullivan now faces up to a total of eight years in prison—five for the obstruction of justice charge and three for misprision. A sentencing date has not been announced.
The prosecution opted to waive three additional counts of wire fraud charges related to the payments after the trail began, which saved Sullivan from facing a much longer sentence.
The trial and verdict have taken center stage in the security world, as this marks the first time a chief security officer has faced criminal charges stemming from incident response related activities.
About the 2016 Uber Breach and Cover-up
Uber found itself at the center of one of the largest, most high-profile cyber attacks in 2016 that resulted in the breach of personally identifiable information, including full names, contact information and nearly 600,000 driver license numbers of more than 55 million Uber users and seven million drivers.
The threat actors reportedly carried out the attack by obtaining access to Uber’s Amazon Web Server account through credentials stored on GitHub. They demanded $100,000 in exchange for deleting the stolen data.
Following the ransom demand, Sullivan made the decision to pay the full amount via bitcoin in exchange for the data being destroyed.
How Exactly Did Sullivan Break the Law?
While paying the ransom is never recommended or advised, it is not a federal crime. What is a crime is covering up the said payment, which Sullivan chose to do in an attempt to hide the nature of the breach.
Sullivan knowingly mispresented the ransomware payment as a bug bounty submission and had the attackers sign non-disclosure agreements. Bug bounty programs are commonplace among organizations and are designed to provide financial incentives for those who report vulnerabilities of products or services.
By portraying the breach and ransom payment as a bug bounty reward, Sullivan changed the narrative from a serious cybersecurity breach to a more benign group of helpful individuals being rewarded for exposing a critical vulnerability.
Sullivan knowingly concealed the breach from the Federal Trade Commission (FTC)and hid it from Uber CEO Dara Khosrowshahi, who went on to testify against Sullivan at trial.
The obstruction of justice charges that came afterward were due to Sullivan failing to amend his testimony to the FTC regarding Uber’s security conditions after learning of the 2016 breach.
Uber disclosed the incident and terminated Sullivan in November 2017. Additionally, Uber was hit with a $148 million penalty related to the cover-up in 2018 and agreed to 20 years of privacy audits.
Uber also acknowledged guilt as part of a non-prosecution agreement that stated that Sullivan took steps to keep knowledge of the data breach tightly controlled and that Uber attorneys communicating with the FTC weren’t told of the breach, even though they represented the company’s security practices as much improved since 2014.
Should Cybersecurity Executives Be Worried About the Sullivan Verdict?
The simple answer is no.
It is important to remember that Sullivan was not charged and convicted as a result of a breach happening under his leadership. He was charged and convicted due to his cover-up and false testimony, and obstructing an existing FTC federal investigation over Uber’s 2014 breach.
“We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” said U.S. Attorney Stephanie Hinds. “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught.”
Did You Know October is Cybersecurity Awareness Month?
In support of Cybersecurity Awareness Month 2022, the Schneider Downs cybersecurity team is introducing a library of cybersecurity resources to help keep cybersecurity top-of-mind every day—at home, in the office and everywhere in between.
Explore the new resources at www.schneiderdowns.com/ncsam.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of expert practitioners offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
To learn more, visit our dedicated Cybersecurity page or contact the team at [email protected].
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.
Related Posts
No related posts.