This week, the former Chief Security Officer of Uber, Joseph Sullivan, was found guilty on one count of obstruction of justice and one count of misprision, the act of concealing a felony from authorities, arising out of his handling of a 2016 data breach at the company.
The verdict is being hailed as a decision that will forever change the way security professionals handle data breaches, and many speculate it will dissuade people from entering the security profession altogether. But a closer inspection of the facts is critical, and should temper sky-is-falling concerns that personal liability of CISOs is the new norm.
In 2016, Sullivan received an email from an actor who claimed to have found a security vulnerability in Uber's network, and shortly after, Sullivan learned the actor had in fact exfiltrated personal data of 600,000 Uber drivers and the PII of roughly 57 million riders and drivers. Sullivan referred the actor to Uber's bug bounty program, a program that was used to pay "white knight" or non-criminal persons who voluntarily report discovered vulnerabilities to a company to help improve its security posture, and the program had a reward cap of $10,000.
Sullivan's use of the Uber bug bounty program to engage with the hackers was irregular, in violation of Uber's terms of that program. And once diverted to the program, Sullivan took several irregular actions:
- When the hackers would not accept the bug bounty's standard $10,000 reward, Sullivan negotiated an increase payment of $100,000 to them, which was in violation of the terms and conditions of Uber's bug bounty program.
- Bug bounty programs are designed to reward "white hat" ethical hackers and security researchers for their efforts in identifying network vulnerabilities. Bug bounty programs should not be used as a method of paying ransom to criminal actors. Here, evidence—including testimony from one of the hackers himself—supported that these individuals were extorting Uber and were motivated by financial gain, and were not ethical hackers or researchers. This should have precluded Sullivan from diverting them to the bug bounty program.
- Further, Uber's bug bounty program did not authorize use of the program where personal information had been accessed, which the hackers told Sullivan they had done, and Sullivan knew at a very early stage that PII was accessed.
Probably most critically, Sullivan directed the hackers to sign a supplemental NDA, which abridged the standard terms Uber had used in the bug bounty program previously. The supplemental NDA falsely claimed that the hackers had not obtained or stored any data during their intrusion into Uber's network. This was false, and the evidence presented at trial showed that both Sullivan and the hackers knew it was false; in fact, they had accessed 600,000 driver records, and the personal information of 57M riders and customers. The supplemental NDA included promises from the hackers that are more typically found in ransomware response—promises to delete/destroy data.
Testimony at trial also showed that Sullivan modified language in the NDA after its execution to make it appear that the hackers were researchers properly in the bug bounty program. In fact, it has been reported that one of the jurors pointed to these affirmative acts—the post-execution modification of the NDA in particular—as compelling the verdict.
A former Uber attorney also testified that Sullivan expressly told him to keep the incident secret, to not report it to Uber's General Counsel or to other internal C-suite persons, and that he (Sullivan) would handle the matter with Uber's CEO at the time. Sullivan's efforts to keep the incident from Uber's legal and regulatory functions is irregular, and standard incident response should include participation and disclosure to internal stakeholders in accordance with an incident response plan.
Among other things, Sullivan's defense stressed that his efforts to engage the hackers through the bug bounty program actually lead the company to determining the identities of the hackers, forcing them to engage under their real names and, later, to their criminal prosecution. This may be true, but it did not relieve Uber of its own response and reporting requirements. In addition to state laws which likely required Uber to report this incident to consumers, Uber was at the exact time already subject to a Consent Decree with the FTC concerning an earlier 2014 data breach.
In connection with the FTC's monitoring of Uber's compliance with the 2014 decree, Sullivan was engaging frequently with the FTC regarding Uber's security—including sitting for a deposition 10 days before the 2016 incident, and contemporaneously responding to FTC inquiries about Uber's security posture weeks and months after—without ever disclosing that new information.
While the verdict will undoubtedly be fodder for commentary for months to come, the key takeaway should be that this is not a "failure to report" prosecution or punishment for paying a ransom.
Sullivan's conviction was based on affirmative actions taken by Sullivan to obstruct the FTC's ongoing investigation into Uber—improperly diverting the hackers to Uber's bug bounty program, paying a "reward" and soliciting NDA terms that were not authorized by that program, modifying the NDA post-execution to suggest the actors were motivated by research, and providing knowingly inaccurate responses to FTC inquiries.
Sullivan's conviction should not be an existential crisis for CISOs and security professionals. Sullivan's actions were irregular. No one person should direct and handle all aspects of incident response. Incident response teams should include stakeholders from across departments, including legal and compliance, and response decisions—including the decision to divert an intrusion to a bug bounty program and certainly the decision to report to regulators and consumers—should be made in accordance with established company policies and existing law.
While widespread criminal prosecution of CISOs following the Sullivan verdict is unlikely, FTC Chair Lina Khan recently suggested that future consent decrees with the FTC may name individual executives responsible for following the decrees and enhance company security practices. This type of initiative could have a far wider impact on CISO and security professional accountability than any one criminal prosecution, and should be watched by organizations and security professionals alike.