*The views expressed in this article do not represent the views of Santa Clara University.
Credit: Kyle Calzia
On October 5, 2022, Joe Sullivan (“Sullivan”), the former Chief Security Officer (“CSO”) of Uber, was convicted of obstruction of justice and misprision (deliberate concealment of a felony) in an attempted cover-up of the 2016 data breach involving millions of Uber users’ and drivers’ records.
Sullivan was hired as Uber’s CSO in April 2015. Before joining Uber, Sullivan was an Assistant United States Attorney in the Northern District of California’s computer hacking and IP unit. He also served on the United States Presidential Commission on Enhancing National Cybersecurity from April – December 2016. As Kathleen McGee (“McGee”) points out, “In this case, the CISO was also a former DOJ attorney, which frankly increased his basis of knowledge beyond a traditional CISO.” McGee added, “Sullivan should have been well-aware of his obligation to continue informing federal regulators and the state attorneys general about this additional incident and should have been well-positioned to assess the risk involved in misleading authorities regarding the hacking.”
Despite his background as a former prosecutor, Sullivan failed to report the conspiracy to extort Uber in connection with the company’s 2016 data breach by two hackers, Brandon Charles Glover (“Glover”) and Vasile Mereare (“Mereare”). Below, we discuss the two prominent data breaches - 2014 and 2016 Data Breaches - and privacy violations. In addition, the timeline below depicts Sullivan’s employment with Uber and the company’s breaches.
Legal Analysis of the Decision
The Federal Trade Commission Act (the “FTC Act”) empowers the Federal Trade Commission (the “FTC”) to investigate and prosecute deceptive and anticompetitive business conduct. Section 5 of the FTC Act prohibits “unfair or deceptive acts” that affect commerce. An “unfair act” is a practice which causes or is likely to cause substantial injury, which is not reasonably avoidable, and not outweighed by countervailing benefits to consumers. A “deceptive act” includes representations, omissions, or practices that are likely to mislead consumers. For example, the FTC has brought enforcement actions against Uber for its false or misleading representations related to security measures taken for consumers’ PI.
Uber’s 2014 Data Breach
In May 2014, an intruder was able to access consumers’ personal information (“PI”) in plain text in Uber’s Amazon S3 Datastore using an access key that an Uber engineer had publicly posted to GitHub (a code-sharing website used by software developers). The publicly posted key granted full administrative privileges to all data and documents stored within Uber’s Amazon S3 Datastore. The intruder accessed one file that contained sensitive PI belonging to Uber drivers, including over 100,000 unencrypted names and driver’s license numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and Social Security numbers. The file also contained other Uber driver information, including physical addresses, email addresses, mobile device phone numbers, device IDs, and location information from trips provided by the Uber drivers.
Uber’s Violations Regarding the 2014 Data Breach
False or Misleading Representation: On November 28, 2014, Uber issued a statement to combat negative public opinion after news reports that its employees were improperly accessing consumer data. The statement was continuously posted on Uber’s website and widely disseminated in the press. It described Uber’s strict policy prohibiting all employees at every level from accessing a rider or driver’s data.
False or Misleading Representation: The statement also mentioned that Uber was closely monitoring and auditing adherence to this policy by means of data security specialists. This was false. Uber developed an automated system for monitoring employee access to consumer PI but stopped using it after less than a year.
Uber’s 2014 Data Breach
In November 2016, intruders gained access to the Uber’s Amazon S3 Datastore using an access key that, again, an Uber engineer had posted to GitHub. The key was in plain text. The intruders said they accessed Uber’s GitHub page using passwords that were previously exposed in other large data breaches, whereupon they discovered the access key. The intruders downloaded 16 files from Uber’s datastore between October - November 2016. These files contained unencrypted consumer PI, including 25.6M names and email addresses, 22.1M names and mobile phone numbers, and 607,000 names and driver’s license numbers. Uber learned of this breach of consumer PI when the intruders contacted Sullivan demanding $100,000. Uber paid the intruders through the third party that administers Uber's “bug bounty” program.
Uber’s Violations Regarding the 2016 Data Breach
False or Misleading Representation: Uber represented, “directly or indirectly, expressly or by implication, that it would provide reasonable security for consumers’ [PI] stored in its databases” but it failed to do so, which resulted in harm to Uber riders and drivers.
Criminal Charges Against Sullivan - United States of America vs. Joseph Sullivan
“This is a case about cover-up, about payoff and about lies,” Andrew Dawson, an assistant U.S. attorney in the Northern District of California, told the court in his opening argument. This case centered on Sullivan’s actions following the 2016 data breach, resulting in charges of obstruction of justice and misprision of felony.
After Sullivan received an email from “johndoughs@protonmail.com” claiming to have found a “major vulnerability in [U]ber,” Uber’s security team began to investigate and realized an unauthorized person or persons had access to Uber’s source code, located an AWS credential, and used that credential to download Uber’s data (consumers’ PI). Uber staff identified the hackers by January 2017. Sullivan paid the hackers but insisted the hackers agree to sign non-disclosure agreements (“NDAs”) in exchange for $100,000. The funds came from “Uber’s bug bounty program” which had a cap of $10,000. Moreover, the reward policy contained language specifying that dumping user data from AWS did not comply with the bug bounty program. Also, the NDAs falsely represented that the hackers had not obtained or stored any data during their intrusion. Nevertheless, Sullivan approved the false language in the NDAs and the hackers were paid in Bitcoin.
At this point, Sullivan’s actions reflected his intent to actively hide a felony and conceal the truth of the 2016 data breach. The details of the 2016 data breach only became public knowledge when Uber’s new CEO issued a press release. Now, Sullivan faces a five-year prison sentence on the obstruction charge and as many as three years in prison on the second charge of failing to report a felony.
Implications for Businesses
A Chief Security Officer (also known as a Chief Information Security Officer or “CISO”), is an executive responsible for the safety and security of company data, personnel, and assets, including client data. CISOs are responsible for preventing data breaches, phishing, and malware, by developing robust safety protocols and crisis management. As Rick Holland explains, “CISOs already have a challenging job, and this [Uber] case raises the stakes for what he call[s] ‘CISO scapegoating.’” Holland surmises how he thinks the Sullivan verdict will impact the CISO role moving forward:
A decline in the number of CISOs and aspiring CISOs willing to take on the potential personal liability of the CISO role;
An increase the number of cybersecurity personnel whistle-blower cases, similar to that of Twitter; and/or
An increase of CISOs negotiating Director’s and Officer’s insurance into their employment contracts.
Many suspect that Sullivan's conviction will lead to a lack of interest in cybersecurity and divert talented security professionals towards other careers. A decline in the supply of cybersecurity professionals will result in lean, overworked incident response teams, which may lead to more incidents and breaches, ultimately to the detriment of consumers.
Useful Sources
A copy of the revised FTC Enforcement Action against Uber is available here. A copy of the settlement agreement is available here. A copy of the criminal complaint against Sullivan is available here.
Comentários