The Uber data breach that took place in 2016 was a case study in how not to handle such an incident, and after court proceedings it appears that former security chief Joseph Sullivan will be taking the brunt of the responsibility. The IT leader, who had a long and illustrious history in the industry prior to the Uber incident, has been found guilty of obstruction of justice by a federal court.
The conviction could include prison time; the two charges each allow for several years of incarceration. The case also appears to have established that former Uber CEO Travis Kalanick was apparently informed of the plan by Sullivan and gave it the green light, but will not be facing charges in the case due to a lack of solid evidence.
Uber security chief takes the fall in cover-up of massive 2016 data breach
Sullivan was appointed as Uber’s security chief in 2015, following a separate 2014 data breach that saw the records of tens of thousands of drivers stolen from the company. Though that earlier breach was reported to the FTC, it created serious problems for the company; when Sullivan took over, Uber was under order to report to the FTC on its security practices and any information about any other data breaches that might be discovered.
The new security chief had no sooner finished testifying to the FTC that the company’s ship was squared away when the 2016 data breach occurred, leaking 57 million records of personal information to hackers. After privately verifying that the data breach was legitimate, Sullivan authorized a $100,000 payment to the hackers meant to remove the stolen data from circulation and keep the incident quiet. None of this was reported to the FTC.
The plan was apparently to bury the payment in the company’s bug bounty program, but the ruse was sniffed out in 2017 when Kalanick was removed and replaced with new CEO Dara Khosrowshahi. The court case established that the security chief continued to attempt to conceal the incident as new management began asking questions about the payment, keeping information from both the company’s internal legal team and outside lawyers that were eventually brought in to investigate. The final nail in the coffin was the apprehension of the two hackers that caused the data breach, who pled guilty in 2019 and testified that they had been paid prior to Sullivan’s security staff unmasking their identities.
First case of criminal charges for a CISO in corporate data breach
The sentencing date has yet to be set, but eyes in the IT world will be on it as it will establish a new precedent: personal criminal penalties for an executive due to handling of a data breach at work.
A simple payment to hackers is not enough to prompt such charges; Sullivan drew this unusual set of circumstances by keeping information from the FTC during an investigation and the negotiation of a breach settlement. But the findings of the case make clear that payments cannot be structured as “bug bounties” as a way to dodge potential charges of this nature, and that prosecution can use communications with the hackers (including attempts to get them to sign non-disclosure agreements) as evidence of attempt to cover an incident up.
CISOs will no doubt want to see much clearer federal policy for personal liability established now that this particular line has been crossed. In the meantime, the possibility of criminal charges (and prison time) has left some wondering if this will push executives to expect CISOs to “fall on their sword” for the company in similar situations, and if CISOs need to anticipate this set of circumstances when negotiating their employment contracts.