Joseph Sullivan, the former Chief Security Officer (CSO) of Uber Technologies Inc. (Uber), has been convicted of Federal charges in the course of attempts to cover up two hacks of Uber’s databases in 2014 and 2016.
Sullivan arrived at Uber in 2015, after the 2014 breach had happened and had been reported to the CFTC. Uber disclosed there had been unauthorised access to the personal information of approximately 50,000 consumers. Following this disclosure the Federal Trade Commission (FTC) demanded extensive information on any other breaches as well as Uber’s security programme and practices.
Customer data
Although Sullivan was clearly not responsible for anything that led to the 2014 breach, he subsequently testified about it and made specific representations about steps taken to keep customer data secure.
Just 10 days after this testimony, Uber was compromised again, this time losing the records of 57 million users.
Sullivan hid the breach not only from the FTC, but also from Uber management. The hackers were paid in exchange for signing non-disclosure agreements that not only asked for them to keep the breach a secret, but also to falsely represent that no data had been taken or stored as part of the hack. The validity of this non-disclosure agreement (NDA) was obviously questionable to begin with, but made more so by the fact that the hackers’ identities remained unknown at the time.
The hackers were subsequently identified, in January 2017, but even at this point, all that they were forced to do was to sign new copies of the original NDA.
Uber senior management changed later in 2017 and, despite Sullivan still trying to conceal it, the truth about the incident was uncovered and reported to the FTC in full.
Computer fraud conspiracy
In the meantime, the hackers successfully breached online learning portal Lynda.com. But they were then caught, prosecuted and pleaded guilty to computer fraud conspiracy charges in 2019.
Sullivan will be sentenced at a later date, but potentially faces up to five years in prison.
This case highlights the fact that robust cyber-security processes are a non-negotiable requirement of doing business. As is prompt disclosure of any material breach where a company is public – the SEC Statement on the subject is worth reviewing.
Since 2016, not only the volume of attacks but their sophistication has continued to increase, with a variety of business sectors being targeted globally. The threat level is so severe that it has led the SEC to publish new proposed rules for cybersecurity risk disclosure in March 2022.
Obstruction of justice
In its news release of the Sullivan case the US Department of Justice (DOJ) draws attention to Sullivan’s specific representations to the FTC as part of his sworn testimony in 2015. And although the guilty verdict is in connection with obstruction of justice and the concealment of felony, the fact that Sullivan testified about the adequacy and robustness of the procedures is considered important enough to highlight.
This suggests it may be the DOJ’s intention to provide further evidence of the fact that Sullivan understood the seriousness of the issues at stake before setting forth on this disastrous course of action. Or it may simply be an attempt to point out the pervasive nature of the security failings at Uber?
This guilty verdict is especially of interest as the DOJ has signalled that it is considering requiring CEOs and CCOs to certify the accuracy of all compliance reports as well as attesting to their company’s compliance program being fit for purpose. Such certification could constitute a statement knowingly made and therefore open whoever signs off to criminal liability.