Former Uber CSO Sentenced to Probation, Fined for Data Breach Cover-Up

Joseph Sullivan, the former chief security officer of Uber, was sentenced to three years of probation and ordered to pay a $50,000 fine for covering up a 2016 data breach at the rideshare company. While data breaches and regulatory repercussions are not new, the prosecution of a prominent senior executive is novel.

“The primary implication is that organizations and individual incident responders must be aware that they can become targets of federal criminal prosecution for incident response activities that violate federal criminal laws,” Ed McAndrew, partner at BakerHostetler and former federal cybercrime prosecutor and National Security Cyber Specialist at the US Department of Justice, tells InformationWeek.

What happened following the 2016 data breach, and what lessons can other security executives learn from the case against Sullivan?

The 2014 and 2016 Data Breaches

Sullivan was hired as the first CSO of Uber in 2015, shortly after the Federal Trade Commission (FTC) launched its investigation into a 2014 data breach at the company. He participated in the company’s response to the FTC investigation. Shortly after giving sworn testimony to the FTC, he learned of another breach in 2016: a breach that leveraged the same vulnerability used in the 2014 incident, according to the United States Attorney’s Office Northern District of California press release.

Uber paid the hackers a $100,000 ransom, but the breach, which involved 57 million driver and rider accounts, remained a secret for more than a year. Hackers signed nondisclosure agreements in exchange for payment. Sullivan covered up the breach both internally and externally while Uber was still under investigation for the 2014 breach. “FTC regulators generally place a premium on transparency during these investigations, which also made Sullivan’s cover-up that much worse,” says Heather Clauson Haughian, a managing partner and privacy and data security attorney at law firm Culhane Meadows.

New management at Uber initiated an investigation into the 2016 data breach in 2017, according to the press release. Sullivan concealed the truth about the breach from management and the company’s outside lawyers. Management uncovered the true circumstances of the breach, which were disclosed to the FTC and the public in November 2017.

The Consequences

Over its history, Uber has come under scrutiny for a number of its business practices -- related to data breaches as well as its treatment of drivers and customer safety. In 2022, the company experienced another data breach. What impact will Sullivan’s sentencing have on Uber?

Larry Whiteside, CISO at governance, risk management and compliance software company RegScale, does not expect that Sullivan’s case will have much of an impact on the company’s brand. “It will be used as an example of how a breach didn’t impact the bottom line, thus giving other companies the green light to not put as much emphasis on cyber as they should,” he says.

Mike Hamilton, founder and CISO of cybersecurity company Critical Insight and former CISO for the City of Seattle, points out that the Sullivan case is unlikely to impact the way customers view Uber, but it does mean the company will likely be under more regulatory inspection. “The Securities and Exchange Commission will be applying extra scrutiny to Uber’s public filings for proper articulation of risks for shareholders. Customers won’t care; regulators now have a microscope on Uber,” he says.

The Lessons for Other Leaders

Prosecutors recommended Sullivan be sentenced to a prison term of 15 months. Instead, his sentence includes probation and a fine. “Despite getting off with a light sentence, Mr. Sullivan’s actions are likely to reverberate in C-suites for some time,” Hamilton anticipates.

With an ever-expanding attack surface, data breaches are not always preventable. Could more security executives face personal responsibility in the aftermath of a breach? In the Sullivan case, it is important to note: “Sullivan was NOT held liable because a breach occurred on his watch; he was convicted because he covered it up,” Clauson Haughian says.

Security executives could face liability in other situations. For example, failure to implement adequate internal controls to protect company and customer data could result in liability. Clauson Haughian also points to situations in which security executives claim “state of the art” security measures yet fail to meet even basic cybersecurity standards. “This latter situation is exactly what happened to SolarWinds, resulting in the company paying $26 million to settle the case against it and the individuals named in the suit,” she says.

The class action lawsuit against SolarWinds resulting in the $26 million settlement was filed following a December 2020 data breach. Along with the company, several executives, including former CEO Kevin Thompson, were named in the lawsuit. In October 2022, the FTC announced a complaint against online alcohol marketplace Drizly and its CEO James Cory Rellas related to a data breach that impacted 2.5 million people.

In January, the FTC finalized an order that places requirements on both Drizly and Rellas. “Rellas must implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities,” according to the order.

“Imposing personal liability on senior executives in regulatory and now criminal actions is unusual, but part of a larger, recent trend across the federal government,” McAndrew says.

In Sullivan’s case, Hamilton contends it is unlikely he acted without the knowledge of other executives. “We don’t know how much pressure may have been placed upon Sullivan from other internal authorities that led him to make these poor decisions,” Clauson Haughian says.

What does this mean for people in the CISO role? “CISOs get put in a spotlight as if they are on an island alone. In reality, it takes several people and other execs to enable the decisions and activities that happen for regulatory and breach response to take place,” Whiteside points out.

So, how do CISOs minimize their personal risk and the risk to their organizations? “Risk management in a mature organization is a shared responsibility. Risks should be identified, a disposition assigned (accept, avoid, mitigate, transfer), and that information pushed up through a governance organization to ensure that multiple leaders have ‘fingerprints’ on decisions,” Hamilton says. “Ideally, this should insulate the CISO from claims of negligence.” Directors and officers insurance (D&O) insurance can also give company executives liability coverage.

“My advice to CISOs out there: Don’t cover up what you know is a confirmed data breach from anyone in your organization and rely on your attorneys to decide if/how notifications are required under applicable law because that decision is not in your lane,” Clauson Haughian says.

What to Read Next:

Cybersecurity Lessons from the Trial of Uber’s Former Chief Security Officer

Breach Takes Systems Down Across Western Digital

Data Breach Settlement: Manufacturing Company to Pay $1.75M to Employees