In what is believed to be the first criminal conviction of a company executive officer regarding a data breach response, the former Chief Security Officer of the ride-sharing company Uber was convicted in early October for the mishandling of a data security incident back in 2016.
On October 5, 2022, Joe Sullivan—who served as Uber’s CSO from April 2015 to November 2017—was found guilty by a San Francisco federal jury of obstructing proceedings and misprision of felony. This decision could have wide-reaching ramifications on the way cybersecurity executives handle data breaches in the future.
In November 2016, the Federal Trade Commission (FTC) was investigating a previous data breach that had occurred at Uber in 2014 (“2014 Breach”). Sullivan, who had been hired at Uber to manage the company’s response to the 2014 Breach, was deposed on November 4th. During his deposition, Sullivan gave testimony touting Uber’s newly enhanced cybersecurity practices.
Ten days after the deposition, however, another data breach (“2016 Breach”) occurred that compromised the information of 57 million Uber users, both drivers and riders. The hackers who had perpetrated the 2016 Breach threatened to leak the data unless they were paid a $100,000 ransom.
Without informing the FTC or Uber executives, Sullivan quietly paid off the hackers under the guise of Uber’s bug bounty program, a program designed to pay ethical or “white hat” hackers who discover vulnerabilities in Uber’s security systems and bring it to the company’s attention.
After receiving $100,000 in bitcoin through the bug bounty program, the hackers deleted the data and signed a non-disclosure agreement regarding the incident. The 2016 Breach did not come to light until a year later when new CEO Dara Khosrowshahi took over the company. When Khosrowshahi became aware of the incident, he alerted the FTC, issued a public apology, and fired Sullivan.
Both of the hackers were eventually indicted and pled guilty in 2019 to computer fraud conspiracy charges. However, Sullivan was also charged in 2020 for his role in what prosecutors argued was a cover-up. The FTC argued that Sullivan’s knowledge of the 2016 Breach had direct bearing on the ongoing investigation into the 2014 Breach, as it would have shed light on Uber’s current state of cybersecurity preparedness.
A press release on the website for the U.S. Attorney’s Office for the Northern District of California noted: “The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them. Instead, he touted the work that he and his team had done on data security.”
The jury found that the withholding of this material information served to obstruct the FTC’s proceedings. But perhaps the more surprising conviction for Sullivan was misprision of felony. In federal law, misprision of felony (18 U.S. Code § 4) is a crime where a person fails to report a felony that they know has occurred, while also taking affirmative steps to conceal that felony. In actuality, misprision of felony is rarely prosecuted for several reasons. In many cases, the act of concealing a felony would fall under other charges such as accessory after-the-fact or obstruction of justice.
In the case of Uber, however, the jury saw Joe Sullivan’s failure to amend his sworn FTC testimony and his attempts to pay the hackers “hush money” as affirmative actions towards a cover-up, enough to meet the misprision of felony threshold. U.S. Attorney Stephanie M. Hinds commented that, “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught.”
Paying the hackers in and of itself wasn’t the primary focus of the prosecution, though. It was paying them surreptitiously through the bug bounty program and mandating that they sign an NDA. U.S. law enforcement entities typically do not forbid companies from paying off hackers in data breach scenarios. But these authorities do generally require companies to make the appropriate disclosures and to cooperate with law enforcement and governmental agencies during investigations. A CSO/CISO may prioritize the protection of his or her company’s reputation, but as the Uber case has plainly illustrated, transparency and following the law provide the safest course in the event of a cybersecurity incident.
If you have any further questions pertaining to cybersecurity or data breach response, please contact Ken Rashbaum.
