On October 5, 2022, Joe Sullivan, Uber’s former Chief Security Officer, was convicted of “obstruction of the proceedings of the Federal Trade Commission and misprision of felony in connection with the attempted cover-up of a 2016 hack at Uber.” He faces up to eight years in prison. The conviction marks the first time that an individual company executive has faced criminal charges related to an information security breach.
While this conviction could be viewed as a slippery slope toward more cases—both civil and criminal—where Chief Security Officers or Chief Information Security Officers are found personally liable for company data breaches that happen on their watch, Sullivan’s actions went beyond simple failure to stop a breach or even failure to report it. As the prosecutor in the case, US Attorney Stephanie Hinds explained, “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught. We will not tolerate the concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.” By bringing these charges the government was sending a message that it views companies as responsible for the data they collect from consumers and expects those companies to be transparent and honest when dealing with a known data breach.
On November 14, 2016, anonymous hackers emailed Sullivan and others at Uber to report a security hole that allowed the hackers to download data from an Amazon repository of Uber data. Using an unsecured digital key, the hackers were able to exfiltrate unencrypted data on more than 50 million Uber riders and 600,000 drivers.
Sullivan initially offered the hackers $10,000—the standard payout in the company’s “bug bounty” program. Such programs have existed for more than 20 years and are used by entities to encourage individuals to report security vulnerabilities or other “bugs” in exchange for a monetary reward or similar gift. Many of the largest technology companies over the years, including Facebook, Google, Yahoo!, and Microsoft have used similar programs, but here the hackers were not willing to accept the standard reward. Instead, the hackers countered that they would release the data if they did not receive more money. After negotiations, Sullivan ultimately paid the hackers $100,000 on the condition that the individuals delete all the stolen data and sign a nondisclosure agreement related to the incident.
At the same time that Sullivan learned about the incident, he was cooperating with the FTC on an unrelated 2014 Uber data breach. On November 4, 2016, Sullivan had testified under oath to the FTC about the 2014 incident and subsequent steps Uber had taken to improve its cybersecurity practices. Even though the attackers notified Sullivan of the incident only ten days after his FTC testimony, Sullivan did not disclose this communication to the FTC and, according to testimony from his trial, actively concealed the incident even within the company.
Uber eventually disclosed the breach to authorities a year later in November of 2017, after its current CEO, Dara Khosrowshahi, joined the company. When Khosrowshahi learned about the incident and the payment to the hackers, he fired Sullivan and the company reported the incident. Uber ended up paying $148 million to settle with various attorneys general across the United States for failing to timely comply with breach notification laws in providing notice of the 2016 breach.
What Does This Mean?
Sullivan’s prosecution and conviction have sparked much discussion in the cybersecurity community about how Chief Information Security Officers should balance corporate transparency around cybersecurity incidents against protections of company reputation. Particularly concerning are the charges brought against Sullivan for “misprision of felony,” an archaic crime that originated in the common law of Great Britain. Misprision of a felony is a felony under U.S. federal law and punishable by both fine and imprisonment, but it was never adopted as a crime by most U.S. states. Under U.S. federal law (18 U.S.C. § 4), there are four elements to the crime:
- a completed felony
- the defendant knowing about the felony’s commission
- the defendant failing to notify a proper law enforcement authority, and
- the defendant taking some affirmative step to conceal the felony.
Some have argued that Sullivan’s payment to the hackers in this case is not terribly different from companies’ payments to ransomware attackers demanding ransom. The difference, however, lies in the lack of transparency. Sullivan took active steps to conceal the incident from others in the company and, more importantly for his criminal conviction, from government officials. His conviction is a stark reminder that companies must be honest and candid about the details and extent of an incident and should not try to play games with the facts to avoid reporting a verified incident.
This case also comes at a time when lawmakers are pushing for increased accountability over hacks due to the rise of high-profile cyberattacks on critical infrastructure. In March of 2022, for example, President Biden signed cybersecurity legislation that mandates certain sectors report breaches to the Department of Homeland Security within 72 hours of discovery, or in 24 hours if they make a ransomware payment, which significantly expanded reporting obligations of covered entities. The SEC has also recently been pushing for additional transparency and disclosure of cyber incidents. And the FBI and Treasury Department have said that they are willing to be flexible and lenient about ransom payments if victims notify the government and cooperate with law enforcement.
As a result, companies should work to identify all applicable reporting obligations in the event of a cybersecurity incident and may need to revisit existing cybersecurity policies and procedures to ensure compliance. Further, in light of Sullivan’s recent conviction, company executives in particular should ensure that any incident investigation and response is carried out at the direction of counsel and in compliance with applicable laws.