On May 4, a federal judge in California sentenced former Uber chief information security officer Joseph Sullivan to three years of probation for his role in covering up a 2016 data breach that exposed data on more than 50 million customers.
Judge William Orrick of the US District Court for the Northern District of California also ordered Sullivan to pay a $50,000 fine and do 200 hours of community service.
A Fortunate Break
The no-prison-time sentence is likely to come as a relief of sorts for some within the industry who had perceived Sullivan as the fall guy for a broader security failure at Uber. Others, including prosecutors in the case who had argued for a 15-month prison term, will likely view the sentence as not doing enough to deter similar behavior by executives in high-stakes situations.
In handing down the sentence, Judge Orrick himself appears to have minced no words in making clear that other cybersecurity leaders would not be so fortunate if they ended up before him like Sullivan did.
“If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison,” some media outlets quoted Judge Orrick as saying said during the sentencing. “When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”
Not Reporting and Concealing a Breach
A federal jury found Sullivan guilty last October on two felony counts related to a data breach at Uber in November 2016 that exposed data belonging to some 57 million customers and 600,000 drivers at the ride-sharing giant. One of the counts had to do with Sullivan actively concealing the breach from Federal Trade Commission officials who, at the time, were investigating an earlier 2014 breach at Uber. Federal prosecutors charged Sullivan with deliberately withholding and concealing the 2016 breach from FTC investigators even as he provided sworn testimony to them about the 2014 breach.
The second count on which the jury convicted Sullivan was for misprision of a felony, or for working to cover up the 2016 breach from others, including executives at Uber. Prosecutors said Sullivan did this by paying $100,000 to the two hackers responsible for the breach, to keep them from making it public. Sullivan, working with other members of his security team, arranged for the hackers to receive payment via Uber’s official bug bounty program and then got the hackers to sign a supplemental nondisclosure agreement (NDA), in essence to buy their silence. To receive the money the hackers agreed that they had not accessed any sensitive data at Uber, when, in fact, they had.
The bounty was the largest that Uber had ever paid researchers under its bug bounty program till that time. The supplemental NDA was also the first time that Uber had mandated such a requirement from bug hunters, prosecutors said in highlighting the lengths to which Sullivan went to conceal the breach. In their sentencing memorandum, prosecutors noted that Sullivan almost got away with his plan because knowledge of the FTC’s investigation and of Uber’s cybersecurity program existed within a silo at the company. Only a few people at the company knew of the significance of the breach, and had it not been for the arrival of a new CEO at Uber — Dara Khosrowshahi — in August 2017, the incident would have remained a secret, they noted.
Arguments for Probation
At Sullivan’s trial last year Khosrowshahi said he fired Sullivan in 2017 after finding out the latter had attempted to mislead him in an email about the 2016 data breach. The Uber CEO said he decided to inform regulators of the incident because he felt Sullivan’s decision not to disclose the breach “was the wrong decision.”
In pleading for a probationary sentence, Sullivan’s attorneys argued that prosecutors had overstated the implications of some of the former CISOs statement and actions. They noted that Sullivan had kept Travis Kalanick, Uber’s CEO at the time, and some members of the Uber’s legal team fully informed about what was going on (Kalanick resigned in 2017 under pressure from Uber shareholders on unrelated matters). Sullivan’s lawyers also argued that the government had mischaracterized the reason for Sullivan obtaining the NDA from the hackers and said the real reason had to do with his wanting to ensure they would not release the sensitive data they had accessed.
Uber itself did not participate in the trial, and neither did Kalanick.
At the sentencing, Judge Orrick noted he had received 186 letters from Sullivan’s peers, friends, and family —some arguing for leniency and others calling for prison time. One of the letters calling for a probation apparently was from Kalanick.
Avishai Avivi, CISO at SafeBreach who wrote for Dark Reading on the takeaways for CISOs from the breach, calls Judge Orrick’s sentence well-balanced and appropriate.
“Judge Orrick took into consideration the many letters in support of Mr. Sullivan’s long-term contribution to the public and the information security field in particular,” Avivi says. “Judge Orrick did note that the former Uber CEO Travis Kalanick was ‘just as culpable’ as Joe Sullivan.”
Breach Response Is a Team Sport
Avivi says this is a good time for organizations to reaffirm the central role CISOs play in companies and to realize the cybersecurity buck stops with them. “Also important is for the CISO to create and put in place a contingency plan before they get breached, to minimize the financial and operational fallout when they do.”
Christopher Hallenbeck, CISO, Americas at Tanium, says the key takeaway here is that breach response is a team sport that involves multiple executives. Not reporting a breach is bad enough, but hiding it is worse, he says.
“For various historical reasons, CISOs took on this task of keeping things quiet while trying to fix the issue themselves,” Hallenbeck notes. “If you’re asked or pressured to act unethically or possibly illegally, be prepared to walk away and/or blow the whistle.”
