Toward the end of 2016, hackers stole the personal data of more than 57 million Uber drivers and passengers. It took around a year for Uber to disclose the breach, and two more after that before two men pleaded guilty to pulling it off. And the repercussions are still echoing. On Thursday, the Department of Justice charged Uber's former chief security officer Joseph Sullivan with obstruction of justice and concealing a felony for allegedly failing to report the incident to Federal Trade Commission investigators in 2016.
At issue is not just Sullivan's slowness to report the breach. Uber already paid $148 million to settle in 2018 with attorneys general across the United States for violating state data breach disclosure laws, which often require notification within 45 days. But the new indictment alleges that Sullivan participated in an internal Uber effort in 2016 to actively cover up the breach by paying the hackers $100,000 through the company's bug bounty program to delete the stolen data and sign a nondisclosure agreement about the incident. According to court documents, Sullivan did so while cooperating with the Federal Trade Commission in an existing investigation about an unrelated 2014 Uber data breach and the company's data security practices overall.
The circumstances described in the case are both specific and extreme; the exact same conditions would have to be present for federal prosecutors to use this strategy in other cases, making it unlikely to set a broadly applicable precedent. But Sullivan's indictment is the first direct example in the US of a corporate executive facing criminal charges and prison time—up to eight years in this case—over a data breach response. As such, it has the potential to usher in a new era of accountability for corporate officers who botch these sensitive and high-stakes remediations.
"The complaint alleges that Uber had been hacked in September of 2014 and that the FTC was gathering information about that 2014 hack. The FTC demanded responses to written questions and required Uber to designate an officer to provide testimony under oath," US attorney for the Northern District of California David Anderson Sullivan said in remarks about the indictment. "Sullivan helped to prepare Uber's written responses and was the designated officer who gave sworn testimony to the FTC. On November 14, 2016, approximately 10 days after providing this testimony to the FTC, Sullivan learned of the 2016 hack. Sullivan did not report the 2016 hack as required. Instead Sullivan hid the 2016 hack from the public and the FTC… After the 2016 payment, Sullivan reviewed and approved statements to the FTC that failed to reveal the 2016 hack."
Representatives for Sullivan told reporters on Thursday that Uber's corporate policies at the time "made clear that Uber's legal department—and not Mr. Sullivan or his group—was responsible for deciding whether, and to whom, the matter should be disclosed."
"We continue to cooperate fully with the Department of Justice’s investigation," said an Uber spokesperson in a statement on Thursday. "Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability."
In a November 2017 blog post publicly disclosing the 2016 breach, Uber's CEO Dara Khosrowshahi, who had just joined the company in August 2017, wrote, "You may be asking why we are just talking about this now, a year later. I had the same question." He added, "None of this should have happened, and I will not make excuses for it."
Khosrowshahi fired Sullivan and Craig Clark, a security lawyer, in 2017. Sullivan, who prior to Uber had been the chief security officer at Facebook, is now chief information security officer for the internet infrastructure company Cloudflare. In a tweet on Thursday, Cloudflare CEO Matthew Prince wrote, "Sad to see Joe Sullivan allegations. … Anytime an opportunity arose, Joe's advocated for us to be as transparent as possible. I hope this is resolved quickly for Joe & his family."
According to media reports following Uber's 2017 breach notification, other company executives and employees aside from Sullivan approved and helped to carry out the plan to treat the breach like a bug bounty disclosure and pay the hackers off through this mechanism. "I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up," Sullivan told The New York Times in a 2018 statement.
John Flynn, Uber's longtime chief information security officer, who left the company in July, told the Senate Commerce Committee in February 2018 that Uber "made a misstep in not reporting to consumers, and we made a misstep in not reporting to law enforcement."
Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues, notes that Sullivan is apparently being singled out because he provided testimony and assistance to the FTC in its investigation of the company's 2014 breach. Under the Justice Department's standards for establishing individual accountability in corporate wrongdoing at the time of the 2016 FTC investigation, Uber needed to present individuals responsible for the misconduct to receive recognition or "credit" for cooperating with the investigation.
"You’ve already got the FTC regulators in your office, they’re already sifting through your documents, they’re already taking sworn testimony from you," Tuma says. "And they probably say something like, ‘You have a duty to supplement this if you learn anything new.' And then 10 days later he learned of this other breach."
The WIRED Guide to Data Breaches
Everything you ever wanted to know about Equifax, Mariott, and the problem with social security numbers.
Legal analysts do have some concerns that the case could lead to overly broad interpretation of what constitutes concealing a felony in the context of vulnerability research and breach disclosure. At times, well-meaning security researchers may inadvertently violate the letter of the Computer Fraud and Abuse Act in small ways, which is why many vulnerability disclosure programs include safe harbor language. If the precedent from this case compelled companies to report even those inconsequential missteps, it could have a chilling effect on vulnerability research.
"For years we have been hearing the same kind of talk that companies aren’t going to change how they protect data until somebody goes to jail over it," Tuma says. "But this isn’t just a typical data breach notification case. Had the FTC investigation not been going on then the question is what law would this have violated? I don’t think this would have been prosecuted in those more typical situations."
While the case is an experiment developing more levers for corporate breach accountability, some argue that a more foundational shift is needed to meaningfully protect consumers. "There needs to be a baseline of rights for users of corporate platforms and real disincentives against violating those rights," says Davi Ottenheimer, who runs security for the data ownership and integrity firm Inrupt. "We need to shift the mindset that this is about human rights law, not just corporate safety and governance."
The fact that Sullivan is the only executive being indicted for something others participated in also sends a flawed message, says Katie Moussouris, a longtime bug bounty program advocate who runs the consultancy Luta Security. She points out that while CSOs should be held accountable for their actions, they shouldn't be put forth as a convenient "Chief Sacrificial Officer."
"I think that singling out Joe for this is ridiculous," Moussouris says. "No company places security and transparency decisions on one executive alone. Not only is there a shared culpability among all the executives involved in the decision, but any bug bounty companies involved in these types of situations must not ignore data breach laws or agree to facilitate clandestine payoffs."
For consumers weary of having their personal data pillaged, though, with few protections or meaningful gestures from the institutions that were hacked, any attempt at accountability may seem welcome.