|
This Case Could Have Massive Ramifications for
the Security Industry
Former Uber Security Chief Found Guilty of Hiding Hack From Authorities
A jury found Joe Sullivan, who led security at
the ride-hailing company, guilty on two different counts. The case could change
how security professionals handle data breaches.
 Joe
Sullivan, the former Uber security chief, was found guilty on Wednesday
by a jury in federal court on charges that he did not disclose a breach of
customer and driver records to government regulators.
In 2016, while the Federal Trade Commission was investigating Uber over an
earlier breach of its online systems, Mr. Sullivan learned of a new breach that
affected the Uber accounts of more than 57 million riders and drivers.
The jury found Mr. Sullivan guilty on one count of
obstructing the F.T.C.’s investigation and one count of misprision, or
acting to conceal a felony from authorities.
The case — believed to be the first time a company executive faced criminal
prosecution over a hack — could change how security
professionals handle data breaches.
“The way responsibilities are divided up is going to be impacted by this.
What’s documented is going to be impacted by this. The way bug bounty
programs are designed is going to be impacted by this,” said Chinmayi Sharma, a
scholar in residence at the Robert Strauss Center for International Security and
Law and a lecturer at the University of Texas at Austin School of Law.
Mr. Sullivan’s trial concluded on Friday, and the jury of six men and six women
took more than 19 hours to reach a verdict.
“While we obviously disagree with the jury’s verdict, we appreciate their
dedication and effort in this case,” said David Angeli, a lawyer for Mr.
Sullivan. “Mr.
Sullivan’s sole focus — in this incident and throughout his distinguished career
— has been ensuring the safety of people’s personal data on the internet.”
Andrew Dawson, an assistant U.S. attorney, declined to comment on the verdict.
Uber did not immediately respond to requests for comment.
Mr. Sullivan was deposed by the F.T.C.
as it investigated a 2014 breach of Uber’s online systems.
Ten days after the deposition, he received an email from a hacker who claimed to
have found another security vulnerability in its systems.
&uuid=(email))
Mr. Sullivan learned that the hacker and an accomplice had downloaded the
personal data of about 600,000 Uber drivers and additional personal information
associated with 57 million riders and drivers,
according to court testimony and documents. The hackers pressured Uber to pay
them at least $100,000.
Mr. Sullivan’s team referred them to Uber’s bug bounty program, a way of paying
“white hat” researchers to report security vulnerabilities. The program capped
payouts at $10,000, according to court testimony and documents.
Mr. Sullivan and his team paid the hackers $100,000 and had them sign a
nondisclosure agreement.
During his testimony,
one of the hackers, Vasile Mereacre, said he was trying to extort money from
Uber.
Uber did not publicly disclose the incident or inform the F.T.C.
until a new chief executive, Dara Khosrowshahi, joined the company in 2017. The
two hackers pleaded guilty to the hack in October 2019.
States typically require companies to disclose breaches if hackers download
personal data and a certain number of users are affected.
There is no federal law requiring companies or executives to reveal breaches to
regulators.
Federal prosecutors argued that Mr. Sullivan knew that revealing the new hack
would extend the F.T.C. investigation and hurt his reputation and that he
concealed the hack from the F.T.C.
“He took many steps to
keep the F.T.C. and others from finding out about it,”
Benjamin Kingsley, an assistant U.S. attorney, said during closing arguments on
Friday. “This
was a deliberate withholding and concealing of information.”
Mr. Sullivan did not reveal the 2016 hack to Uber’s general counsel, according
to court testimonies and documents. He did discuss the breach with another Uber
lawyer, Craig Clark.
Like Mr. Sullivan, Mr. Clark was fired by Mr. Khosrowshahi after the new chief
executive learned about the details of the breach.
Mr. Clark was given immunity by federal prosecutors in exchange for testifying
against Mr. Sullivan.
Mr. Clark testified that
Mr. Sullivan had told the Uber security team that they needed to keep the breach
secret
and that Mr. Sullivan had changed the nondisclosure agreement signed by the
hackers to make it falsely seem that the hack was white-hat research.
Mr. Sullivan said he would discuss the breach with Uber’s “A Team” of top
executives, according to Mr. Clark’s testimony. He shared the matter with only
one member of the A Team: the chief executive at the time, Travis Kalanick. Mr.
Kalanick approved the $100,000 payment to the hackers, according to court
documents.
Lawyers for Mr. Sullivan argued that he had merely been doing his job.
They argued that Mr. Sullivan and others had used the bug bounty program and the
nondisclosure agreement to prevent user data from being leaked — and to identify
the hackers — and that Mr. Sullivan had not concealed the incident from the
F.T.C.
After the trial, one of the jurors, Joel Olson, said that the extensive array of
documents presented by the lawyers in the case, including edits to the
nondisclosure agreement, made it clear that Mr. Sullivan had hidden the breach
from authorities. “It was all dated and timed and documented very clearly,” he
said.
Judge William H. Orrick did not set a date for sentencing. Sullivan
may appeal if post-trial motions fail to set the verdict aside.
nytimes.com
washingtonpost.com
Here's the Daily's previous coverage on the
Uber case:
October 11, 2022:
The Uber Data Breach Conviction Shows Security Execs What
Not to Do
October 6, 2022:
Former Uber Security Chief Found Guilty of Hiding Hack
From Authorities
September
7, 2022:
As Ex-Uber CSO Heads to Trial, the Security Community
Reels
August 4, 2022:
Fraud charges in hacking case against Uber ex-security
chief are dismissed
July 26, 2022:
Uber admits massive 2016 data breach coverup, cooperates
with feds
April 28, 2022:
Former Uber Chief Security Officer To Face Wire Fraud
Charges
August 24, 2020:
Watch: Former Uber CSO Charged With Covering Up 2016 Data
Breach
August 21, 2020:
Former Chief Security Officer For Uber Charged With
Obstruction Of Justice
September 27, 2018:
Uber Fined $148 Million for Breach Cover-Up
February 7, 2018:
Uber Paid Hackers $100K to Destroy Stolen Data on 57M
people, Keep Quiet
December 1, 2017:
Three Uber security managers resign after CEO criticizes
practices
|
&uuid=(email))
&uuid=(email))
