The Uber Data Breach Conviction Shows Security Execs What Not to Do

Former Uber security chief Joe Sullivan’s conviction is a rare criminal consequence for an executive’s handling of a hack.
Uber Building
Photograph: JIM WILSON/NYT/Redux

Uber's Former chief security officer, Joe Sullivan, was found guilty this week of actively hiding a data breach from the US Federal Trade Commission (FTC) and concealing a felony. The case has reverberated through the security and tech worlds because it is seemingly the first time that an individual executive has faced criminal prosecution for charges related to a data breach against the executive's company. As alarming as Sullivan's conviction may be to some, gauging the fallout for security executives is anything but straightforward.

Chief security officers are sometimes wryly referred to as “chief scapegoat officers” or “chief sacrificial officers,” because the practical challenges of securing massive organizations are so great. It is all but inevitable that companies will suffer hacks and breaches, and CSOs preside over the aftermath. Many now worry that Sullivan's conviction will make the already daunting role even less appealing to top talent. But the United States Department of Justice is positioning the case as an opportunity to set guardrails around what behavior is—and isn't—acceptable in the fraught balancing act of corporate breach response.

“This definitely will have a chilling effect,” says Anthony Vance, a professor and researcher at Virginia Tech who focuses on how individuals and organizations can improve cybersecurity practices. “Most people aren’t clear about the nuance that is involved here, but more generally, it does show that someone could be held accountable and convicted for a data breach, which has never happened. It’s possible even if this is an extreme case.”

Sullivan’s trouble goes back to November 2016, when Uber suffered a data breach that compromised personal information of more than 57 million users, including drivers and passengers. The rideshare giant didn't disclose the breach until November 2017, when its current chief executive officer, Dara Khosrowshahi, took over and fired Sullivan along with a company lawyer, Craig Clark. In 2018, Uber paid $148 million to settle with attorneys general across the United States for violating state data breach disclosure laws.

The delayed notification in itself isn't what brought Sullivan into the Justice Department's crosshairs, though. When Sullivan learned about the 2016 hack, he was already working with the FTC on its ongoing investigation into another, unrelated 2014 Uber data breach. Among other things, Sullivan gave a sworn deposition to the FTC about the incident and steps Uber had since taken to improve its digital security practices. 10 days after providing this testimony, he learned of the new data breach. The hackers attempted to extort the company by threatening to publish the data they had stolen if they didn't receive payment. 

Sullivan is now convicted of spearheading the effort to cover up this breach by paying the hackers $100,000 through the company's bug bounty program. As part of the deal, authorities say, he required the hackers to delete the stolen data and sign a nondisclosure agreement about the incident. These actions amounted to a failure to report a felony, according to the DOJ, and resulted in a “misprision of felony” charge. He was also charged in 2020 and convicted this week of obstruction of proceedings of the FTC for failing to amend his testimony to the agency about Uber's security conditions once he learned of the 2016 breach.

“This is a unique case because there was that ongoing FTC investigation,” says Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues. “He had just given sworn testimony and was most certainly under a duty to further supplement and provide relevant information to the FTC. That’s how it works.”

Tuma, who frequently works with companies responding to data breaches, says that the more concerning conviction in terms of future precedent is the misprision of felony charge. While the prosecution was seemingly motivated primarily by Sullivan's failure to notify the FTC of the 2016 breach during the agency's investigation, the misprision charge could create a public perception that it is never legal or acceptable to pay ransomware actors or hackers attempting to extort payment to keep stolen data private.

“These situations are highly charged and CSOs are under immense pressure,” Vance says. “What Sullivan did seems to have succeeded at keeping the data from coming out, so in their minds, they succeeded at protecting user data. But would I personally have done that? I hope not.”

Sullivan told The New York Times in a 2018 statement, “I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up.”

The facts of the case are somewhat specific in the sense that Sullivan didn't simply lead Uber to pay the criminals. His plan also involved presenting the transaction as a bug bounty payout and getting the hackers—who pleaded guilty to perpetrating the breach in October 2019—to sign an NDA. While the FBI has been clear that it doesn't condone paying hackers off, US law enforcement has generally sent a message that what it values most is being notified and brought into the process of breach response. Even the Treasury Department has said that it can be more flexible and lenient about payments to sanctioned entities if victims notify the government and cooperate with law enforcement. In some cases, as with the 2021 Colonial Pipeline ransomware attack, officials working with victims have been able to trace payments and attempt to recoup the money. 

“This is the one that gives me the most concern, because paying a ransomware attacker could be viewed out in the public as criminal wrongdoing, and then over time that could become a sort of default standard,” Tuma says. “On the other hand, the FBI highly encourages people to report these incidents, and I’ve never had an adverse experience with working with them personally. There’s a difference between making that payment to the bad guys to buy their cooperation and saying, ‘We’re going to try to make it look like a bug bounty and have you sign an NDA that’s false.’ If you have a duty to supplement to the FTC, you could give them relevant information, comply with breach notification laws, and take your licks.”

Tuma and Vance both note, though, that the climate in the US for handling data extortion situations and working with law enforcement on ransomware investigations has evolved significantly since 2016. For executives tasked with protecting the reputation and viability of their company—in addition to defending users—the options for how to respond a few years ago were much murkier than they are now. And this may be exactly the point of the Justice Department's effort to prosecute Sullivan.

“Technology companies in the Northern District of California collect and store vast amounts of data from users. We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” US attorney Stephanie Hinds said in a statement about the conviction on Wednesday. “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. Where such conduct violates the federal law, it will be prosecuted.”

Sullivan has yet to be sentenced—another chapter in the saga that security executives will no doubt be watching extremely closely.