Enough of a cautionary tale? Uber’s ex-CSO who hid data breach narrowly escapes prison
It’s human nature to want to conceal embarrassing stuff to make yourself look good. When it comes to work, it can be covering up your or your company’s slip-ups and mistakes in the hopes that no one will notice — an approach that reeks of unprofessionalism and will inevitably backfire, causing more problems or damage in the long run. This part of human nature is what prosecutors say led to the downfall of Joe Sallivan, the former chief security officer (CSO) of ride-hailing and food delivery company Uber.
On May 4, Sullivan was sentenced to three years of probation for obstruction of justice and felony cover-up related to the 2016 data breach. In that breach, two hackers accessed the personal information (names, email addresses, and phone numbers) of 57 million Uber riders and drivers, including the driver’s license numbers of approximately 600,000 drivers in the US. While data breaches of this magnitude are rare but not unheard of, what makes this case particularly interesting is that it’s the first time a company’s chief security officer faced criminal charges for mishandling it, with a real prospect of landing in jail.
Uber kept its customers and contractors in the dark about the breach for a year. This secrecy not only cost the firm some $148 million in fines, but, most importantly, robbed customers and drivers of the ability to take timely steps to protect themselves from identity theft, fraud, and other risks they faced as a result of the potential misuse of their data by hackers.
Jail awaits next offenders, even ‘Pope Francis’
Prosecutors claimed that if not for the “fortuitous arrival” of the new Uber CEO, Dara Khosrowshahi, in August 2017, Sullivan would most likely have gotten away with the cover-up. “There is every reason to believe the tens of millions of victims of the 2016 Data Breach never would have learned about it,” they said.
They demanded that Sullivan serve real jail time — 15 months in the dock. The eventual non-custodial sentence may seem like a slap on the wrist, but judge William Orrick explained that he was only merciful because Sullivan was the first security executive to ever face criminal charges for hiding and lying about a data breach. He warned that those who will fail to learn from this cautionary tale and commit the same crime should expect harsher treatment. He said: “If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison.”
For those of you who have not been following the case closely, or need a refresher, here is our brief overview of the events that led to Sullivan’s fall from grace.
Off to a rocky start
Sullivan joined Uber as its first chief security officer in April 2015 to handle the aftermath of the 2014 data breach that exposed Uber’s online systems. The company must have had high hopes for Sullivan, as he previously served as a federal prosecutor, worked at PayPal, eBay, and spent five years as Facebook’s CSO. Having its reputation tarnished by the 2014 breach, Uber hoped that Sullivan would help it elevate its security practices and image.
However, a year and a half into his new job, Sullivan faced a security crisis of his own. In November 2016, Sullivan discovered a new breach that compromised the personal information of millions of Uber users and drivers. The timing couldn’t have been worse: this breach occurred just 10 days after he had testified to the FTC about the 2014 breach and the security measures Uber had implemented since then. In his testimony, Sullivan had claimed that Uber had encrypted account data and removed keys from the Amazon Web Services account from GitHub repositories, which were some of the vulnerabilities that led to the 2014 breach.
Well, that wasn’t quite the truth. The 2016 breach was “due to some of the same deficient security practices that led to the 2014 data breach,” investigators later found. This fact, according to prosecutors, was obvious to Sullivan, an experienced security officer, “almost immediately.” The problem, they note, was that Sullivan had already misrepresented Uber’s encryption practices and the extent of employee access to data in his testimony to the FTC, including in statements he made under oath. For example, Sullivan lied to the FTC that Uber stopped storing unencrypted personal information on Amazon Web Services (Amazon’s cloud computing platform) after March 2015, when in fact “unencrypted personal information remained on AWS until at least November 2016, when two hackers stole a huge quantity of that data.”
Sullivan faced a tough choice: either admit the recent data breach to regulators, and risk his and the company’s reputation, or sweep it all under the rug and hope no one would find out. He chose the latter.
The cover-up: hush money coated as bug bounty
According to ex-Uber lawyer, Craig Clark, who testified against Sullivan, upon learning about the theft of user personal data, Sullivan came up with a plan to cover up the breach as a “standard interaction with security researchers within Uber’s bug bounty program.” Even though a payment within Uber’s bug bounty program was $10,000 for a critical problem at the time, Sullivan offered the still anonymous hackers a lump sum of $100,000, which was their extortion demand. Sullivan then agreed with the hackers (who still did not disclose their true identities) to sign an NDA in which they promised to button their lips about the breach.
At that point, according to the US Justice Department, the ex-Uber security chief was hiding the truth even from the in-house legal team. While Uber was in the middle of settling the 2014 breach with the FTC, Sullivan did not say anything about the new breach to Uber’s own lawyers, and instead “touted the work he and his team had done on data security.” Sullivan, however, disputed this version of the events during the trial, claiming that Uber’s legal department and other managers were in the know.
As for whether then Uber CEO Travis Kalanick was in on the ruse… Well, Kalanick has not been charged with anything related to the data breach. Still, at Sullivan’s sentencing, judge Orrick called the former CEO “just as culpable” as Sullivan. Go figure.
The exposure of the truth
They say, the truth always comes to light, and they are not wrong. After Dara Khosrowshahi was named Uber’s new CEO in August 2017, Sullivan, prosecutors allege, kept up the charade for some time. In particular, Sullivan, prosecutors say, wrote to Khosrowshahi that the hackers had never taken any data and had been identified before they were paid.
But what goes around comes around, and in November 2017 Sullivan was fired, while Uber publicly disclosed the breach. In a statement about the breach, Khosrowshahi acknowledged that the hackers “downloaded files” containing user information and apologized for not notifying those affected. At the Sullivan trial, the hackers (now identified) testified, indeed, that they signed a nondisclosure agreement with Uber under their fake names and falsely claimed that they had not downloaded or stored any of the data.
After firing Sullivan, Uber hired a new security team and vowed to prevent such incidents from happening in the future. But even though Uber may have changed its reporting practices, that hasn’t prevented the company from suffering several major data breaches since 2016, including in September 2022 when it fell victim to the Lapsus$ group hackers.
The consequences: personal…
As for Sullivan, his not-so-graceful exit from Uber did not spoil his career perspectives. Half a year after he was fired by Uber, Sullivan joined Cloudflare as a chief security officer. He took a leave from Cloudflare in July 2022 to prepare for the trial, and, according to his LinkedIn page, left the company in October, just as a jury found him guilty of two felonies related to the cover-up.
In January 2023, Sullivan was appointed a CEO of Ukraine Friends, a humanitarian non-profit. At his sentencing, Sullivan owned up to his mistakes in handling the data breach. “I should have fought for transparency, and in every situation I’ve been in since, I’ve made sure of that. I learned that lesson,” he said.
…and for the industry
This case can become a game changer for the industry as a whole. First and foremost, it sends a clear message that sweeping data breaches under the rug is the worst possible practice. It will also (hopefully) serve as a strong deterrent for those who think they can save their or their company’s reputation at the expense of user security.
Faced with the possibility of a real jail time, chief security officers, and other senior security professionals would know better than to cover up data breaches, including, and especially, when their own negligence might have contributed to what had happened.
The way this case unravelled also proves that paying ransom to hackers, especially those who refuse to identify themselves and whose behavior does not resemble that of ‘white hats,’ is a terrible decision that can backfire many times over.
If security officers ignore the lessons from this case and repeat the same mistakes as the ex-Uber CSO, they will have no one to blame but themselves when they end up behind bars. They have been warned. But will this be enough of a cautionary tale? This is what we’re yet to see.