Joe Sullivan, a former Chief Security Officer at Uber Technologies Inc., was sentenced to three years of probation and 200 hours of community service Thursday. Sullivan was charged for his role in suppressing and obstructing justice for a cyberattack ransomware scheme that extorted $100K and over 50 million Uber users’ data from Uber in 2016.
The payment sent to the hackers was routed through the company’s bug bounty program, normally used for responsible disclosure of security vulnerabilities.
Sullivan then instructed the hackers to sign non-disclosure agreements falsely claiming that no data had been stolen.
Sullivan concealed hack from FTC, protected hackers
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said US State Attorney Stephanie M. Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
The evidence at trial demonstrated that Sullivan, in his new role as Uber CSO, played a central role in Uber’s response to the FTC back in 2016. Sullivan testified under oath in March, 2016 of Uber’s hack originating from 2014.
Ten days after his FTC testimony, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly, via email, on November 14, 2016. The hackers informed Sullivan and others at Uber that they had stolen a significant amount of Uber user data, and they demanded a large ransom payment from Uber in exchange for their deletion of that data. Employees working for Sullivan quickly verified the accuracy of these claims and the massive theft of user data, which included records on approximately 57 million Uber users and 600,000 driver license numbers.
Sullivan chose to pay $100K to the hackers in an attempt to keep the hack and data breach private, without alerting authorities or following proper data breach disclosure laws.
The hack wasn’t publicly acknowledged until 2017, once Dara Khosrowshahi became the new Uber CEO.
Khosrowshahi fired Sullivan in 2017, and testified in court in 2022 that Sullivan had “made the wrong decision.”
Sullivan then served as the Chief Security Officer of Cloudflare from 2018 to 2022, stepping down in July in advance of his trial.
The two hackers from the 2016 Uber hack have since been sentenced and pleaded guilty in 2019. The testimony from each hacker was reportedly instrumental in the charges brought on by the prosecution in Sullivan’s trial.
CISOs, CSOs fear legal precedent if Sullivan serves jail time
Prosecutors were gunning for Sullivan to serve 15 months in prison, and the defense in response provided over 186 letters in support of Sullivan’s character.
Many letters were reportedly from fellow CISOs sharing that they’d be afraid of the legal precedent set if Sullivan were to serve jail time.
The outpouring of support for Sullivan from fellow chief executives is interesting, as the stakes are high if Sullivan were to serve any jail time. The message would be received across the entire cyber industry: make a mistake as a chief security executive, and you probably will go to jail.
Yet, Sullivan escapes jail time thus far, despite unethical payments, falsified NDAs, and dismissing the violation of private Uber user data of over 50 million employees and customers in favor of his own job security.
Perhaps, the wrong message was just sent and received to the chief executive level of the cybersecurity industry.
Uber has since had several of cybersecurity incidents, including two in late 2022 alone.
The first hack in September used social engineering to convince an employee to give credentials over the company’s Slack channel. A second breach in December included personal mobile device management info for over 77,000 Uber employees.
