Last month, Joe Sullivan, Uber’s former chief of security, went on trial in California for his handling of a 2016 security breach. On Wednesday 5 October, a jury found him guilty.
Experts believe the case could change how security professionals and their companies handle data breaches. Commenting after the verdict, one told The New York Times: “The way responsibilities are divided up is going to be impacted by this. What’s documented is going to be impacted by this. The way bug bounty programmes are designed is going to be impacted by this.”
According to the original complaint, Sullivan learned in 2016 that hackers had secured access to the personal data of 600,000 Uber drivers and information associated with 57 million riders and drivers. He then directed those responsible to the company’s bug bounty programme, which offers financial incentives to those who find security vulnerabilities.
Uber paid the two hackers $100,000 in Bitcoin and made them sign non-disclosure agreements (NDAs). The hackers later pleaded guilty for their role in the hack, alongside a separate hack against Lynda.com (now LinkedIn Learning). But Uber did not disclose the incident to its customers or inform the US regulator, the Federal Trade Commission, which was already investigating Uber over its privacy and security practices in 2016.
The incident came to light in 2017 by the incoming CEO, Dara Khosrowshahi, who fired Sullivan and paid an agreed $148m to settle claims it had been slow to reveal the hack.
Sullivan, who is now CSO for Cloudflare, had pleaded not guilty. The verdict is a fall from grace for the former federal prosecutor, who has also spent time at Facebook and eBay. He will now wait to hear whether he will face jail at a yet-to-be-scheduled sentencing hearing.
The poisoned chalice
The verdict was a surprise to many working in this sector. Sullivan claimed he had internal legal advice that suggested there was no need to disclose the hack if the culprits were identified and agreed to delete the data. But court testimonies and documents revealed he did not disclose the hack to Uber’s general counsel, although he did discuss it with Craig Clark, another Uber lawyer.
Clark was also fired by Khosrowshahi in 2017 but was given immunity by prosecutors in exchange for testimony against Sullivan. He said Sullivan had told the Uber security team they needed to keep the breach secret and that Sullivan had changed the NDAs to falsely claim the hack was ‘white-hat research’.
CISO is admittedly not an easy job. Security officers have to juggle multiple priorities, build good working relationships with other leaders, and develop a culture of privacy by design. Staff need to feel comfortable reporting any security breaches – potential or actual – to the CISO without fear of being blamed. But it was Sullivan’s own dishonest actions in covering up the data breach and obstructing the course of justice, by not telling the authorities about the hackers at the time, that saw him in the dock.
Threats of litigation
With the number of data breaches at an all time high last year, this isn’t an issue that’s going away anytime soon. And while criminal proceedings aren’t commonplace, data breaches can lead to fines and penalties, loss of reputation and customers, and civil litigation. Following a hack in 2020 of the software company SolarWinds Corp, investors filed a class action against the company and its executive team, including security chief Tim Brown. Gartner predicts 75% of CEOs will be held personally liable for security incidents by 2024.