Setting the Record Right: U.S. v. Joseph Sullivan

Summary: The Sullivan decision does not break any new ground but reinforced that CISOs must be forthright within their companies' leadership and with the relevant regulatory agencies. ??

By Daniel Garrie , Jennifer Deutsch , David Cass

Former Chief Security Officer of Uber , Joseph Sullivan, has been found guilty on one count of obstructing the Federal Trade Commission's ("FTC") investigation and one count of misprision, i.e., concealing a felony from authorities. In the aftermath of the U.S. v. Sullivan trial, there has been a flurry of discourse concerning CISO accountability for government disclosures and what it might mean for the profession's future. See U.S. v. Joseph Sullivan (N.D. Cal. No. 20-cr-00337-WHO)We have seen spirited debate and various inaccurate and/or misleading representations of the facts of the case. Based on what some people say, we feel compelled to set out an account of the critical facts to help the discourse stay productive. For context, Daniel Garrie served as the U.S. government's cybersecurity expert in this case, and the other contributors are also aware of the facts and details of the dispute. Although Mr. Garrie did not testify, he attended the trial every day and reviewed all the evidence presented. As you will see, the Sullivan decision did not break any new ground. Still, it reinforced that CISOs are required to be forthright within their companies' leadership and with the relevant regulatory agencies. ??

On November 14, 2016, Sullivan received an email from a #hacker who claimed they had found a significant vulnerability in Uber's systems that allowed the hacker to access sensitive data. Within a few days, Sullivan's team confirmed that unauthorized individuals had accessed AWS credentials and obtained a copy of a database containing data for approximately 57 million #uber users and 600,000 driver license numbers.

The breach occurred while the Federal Trade Commission (FTC) was investigating Uber over an earlier breach of Uber's online systems from 2014. At no time during the FTC's investigation was the FTC informed about the 2016 breach. At trial, Sullivan's lawyers argued that it was the company's responsibility, not Sullivan's, to respond to the FTC's civil investigative demands. Sullivan's ill-fated defense attempted to distance himself from the FTC's investigation. However, the evidence presented at the trial showed Sullivan's central role in Uber's responses. Sullivan participated in a presentation to the #FTC in the Spring of 2016 and provided sworn testimony to the FTC regarding Uber's security posture prior to the incident. In his deposition, he testified at length to Uber's data security practices that had been put into place. Some of these statements were established at trial to be false because ten days after his deposition, the hackers obtained access to numerous AWS keys that were not appropriately protected and could unencrypt data in S3 buckets in a similar method to the 2014 breach.

Additionally, Sullivan was obliged to further supplement his testimony and provide any relevant information to the FTC. Sullivan was copied on a variety of email chains with Uber's in-house counsel relating to the continuing required disclosures and potential settlement with the FTC, but in none of the correspondences did Sullivan disclose the existence of the 2016 data breach. In April 2017, Uber sent a letter to the FTC requesting that their investigation into the company's 2014 data breach be closed. The letter states that Uber's security team had implemented "numerous and extensive additional protections" for data stored in its S3 buckets to prevent a repeat of the 2014 incident. The letter does not disclose the 2016 breach. In August 2017, Uber and the FTC agreed to a proposed settlement regarding the 2014 breach. See FTC Press Release, Uber Agrees to Expanded Settlement with FTC Related to Privacy, Security Claims Company failed to disclose the breach in the fall of 2016 during FTC investigation (last visited, 10/21/2022)

After Sullivan received notice of the 2016 breach, the hackers demanded a $100,000 payout in exchange for disclosing the vulnerability. At trial, in-house attorney and security team member Craig Clark testified it was Sullivan's idea to cover up the incident under the guise of a bug bounty program and had the hackers sign nondisclosure agreements. A bug bounty program is a process in which a third-party intermediary arranges payment to so-called "white hat" hackers who identify security vulnerabilities but have not compromised data. This breach did not follow Uber's public #bugbounty program terms or industry standards. See Daniel Garrie & David Cass, Don't Blame Bug Bounties, Blame Joe Sullivan As. Not only was the $100,000 payout ten times more than the max outlined in the bug bounty program, but the method the hackers used to obtain the data was also an example of a behavior that, under Uber's program rules, disqualified them from participating in the bug bounty program. The facts presented at trial demonstrated this was a ransom payment, not a bug bounty — the hackers had possession of Uber's data and would only return the stolen data if Uber paid them money. Ultimately, the jury saw through Sullivan's veiled attempt to classify extortion as a bug bounty program to hide the breach from Uber's senior management.

On November 18, 2016, the hackers signed an initial NDA using aliases. The NDA contained a false representation that the hackers did not take or store any data. See, Affidavit of Special Agent Mario C. Scussel in Support of Criminal Complaint. Evidence presented at the trial exposed Sullivan modified the nondisclosure agreement to make it seem like the breach was white hat research and never corrected that language despite knowing it was false. Additionally, payment was issued to the hackers via bitcoin using HackerOne's bug bounty platform. At the time of payment, Sullivan and his team did not know the true identities of the hackers. After payment, Sullivan and his team identified the hackers in January 2017. Sullivan directed Uber employees, ex-members of three-letter security agencies, to interrogate the hackers in person. Sullivan, via this process, obtained new copies of the NDA executed in the hackers' actual names after they had paid the ransom. The new NDAs retained the false language that the hackers had obtained no data. Id.

At trial, Sullivan's lawyers argued that his actions were taken with the blessing of executive management. Sullivan initially contacted then-CEO Travis Kalanick about a "sensitive" matter. According to court testimony and documents, Sullivan did not reveal the 2016 breach to Uber's general counsel nor any other members of the senior leadership team. One member of Sullivan's team testified that Sullivan told Uber's security team that they needed to keep the breach secret and that the investigation did not exist for anyone outside the security group. Sullivan went so far as to ask Uber's Chief Technology Officer (CTO) to reset all the passwords but never told the CTO about the breach or a potential security risk. In August 2017, #Kalanick stepped down and was replaced by Dara Khosrowshahi. In September 2017, after Khosrowshahi learned about the 2016 incident from another source, he requested Sullivan provide a summary of the 2016 incident that precipitated the $100,000 bug bounty payout. Sullivan asked his team to prepare an overview of the incident, but after he received their draft summary, Sullivan edited it. His edits removed details about the data the hackers had taken and falsely stated that payment had been made only after the hackers had been identified. Sullivan was subsequently fired from Uber for concealing the breach and paying off the hackers. Khosrowshahi testified he fired Sullivan because he lost trust after Sullivan hid key details about the 2016 hack in an "incomplete or misleading" email.

Most #regulators understand that during an incident response, CISOs often work with imperfect information. While adhering to notification requirements set forth in some regulations, the information regarding the incident will evolve through regular updates. Transparency with regulators and senior executive engagement, including the firm's General Counsel, are some key elements to successful incident response. We hope no CISO thinks it is appropriate not to tell their General Counsel and senior leadership team about a massive data breach, pay an extortion demand masked as a bug bounty program, or edit/write an NDA that they know is false and then use the NDA to justify not telling senior leadership about the data breach. While there is no perfect way to handle a data breach in real-time, the facts of the Sullivan case reinforce that CISOs must disclose data breaches to company management and necessary authorities or face severe consequences.

** Opinions set forth in this article are those of the authors and not the views of their employers