Judge Spares Former Uber CISO Jail Time Over 2016 Data Breach Charges

  /     /     /  
Publicated : 23/11/2024   Category : security


Judge Spares Former Uber CISO Jail Time Over 2016 Data Breach Charges


Tell other CISOs you got a break, judge says in handing down a three-year probation sentence to Joseph Sullivan.



On May 4, a federal judge in California sentenced former Uber chief information security officer Joseph Sullivan to three years of probation for his role in covering up a 2016 data breach that exposed data on more than 50 million customers.
Judge William Orrick of the US District Court for the Northern District of California also ordered Sullivan to pay a $50,000 fine and do 200 hours of community service.
The no-prison-time sentence is likely to come as a relief of sorts for some within the industry who had perceived Sullivan as the fall guy for a broader security failure at Uber. Others, including prosecutors in the case who had argued for a
15-month prison term
, will likely view the sentence as not doing enough to deter similar behavior by executives in high-stakes situations.
In handing down the sentence, Judge Orrick himself appears to have minced no words in making clear that other cybersecurity leaders would not be so fortunate if they ended up before him like Sullivan did.
If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison, some
media outlets
quoted Judge Orrick as saying said during the sentencing. When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.
A federal jury
found Sullivan guilty last October
on two felony counts related to a data breach at Uber in November 2016 that exposed data belonging to some 57 million customers and 600,000 drivers at the ride-sharing giant. One of the counts had to do with Sullivan actively concealing the breach from Federal Trade Commission officials who, at the time, were investigating an earlier 2014 breach at Uber. Federal prosecutors charged Sullivan with deliberately withholding and concealing the 2016 breach from FTC investigators even as he provided sworn testimony to them about the 2014 breach.
The second count on which the jury convicted Sullivan was for misprision of a felony, or for working to cover up the 2016 breach from others, including executives at Uber. Prosecutors said Sullivan did this by paying $100,000 to the two hackers responsible for the breach, to keep them from making it public. Sullivan, working with other members of his security team, arranged for the hackers to receive payment via Ubers official bug bounty program and then got the hackers to sign a supplemental nondisclosure agreement (NDA), in essence to buy their silence. To receive the money the hackers agreed that they had not accessed any sensitive data at Uber, when, in fact, they had.
The bounty was the largest that Uber had ever paid researchers under its bug bounty program till that time. The supplemental NDA was also the first time that Uber had mandated such a requirement from bug hunters, prosecutors said in highlighting the lengths to which Sullivan went to conceal the breach. In their sentencing memorandum, prosecutors noted that Sullivan almost got away with his plan because knowledge of the FTCs investigation and of Ubers cybersecurity program existed within a silo at the company. Only a few people at the company knew of the significance of the breach, and had it not been for the arrival of a new CEO at Uber — Dara Khosrowshahi — in August 2017, the incident would have remained a secret, they noted.
At Sullivans trial last year
Khosrowshahi said he fired Sullivan
in 2017 after finding out the latter had attempted to mislead him in an email about the 2016 data breach. The Uber CEO said he decided to inform regulators of the incident because he felt Sullivans decision not to disclose the breach was the wrong decision.
In pleading for a probationary sentence, Sullivans attorneys argued that prosecutors had overstated the implications of some of the former CISOs statement and actions. They noted that Sullivan had kept Travis Kalanick, Ubers CEO at the time, and some members of the Ubers legal team fully informed about what was going on (Kalanick resigned in 2017
under pressure from Uber shareholders
on unrelated matters). Sullivans lawyers also argued that the government had mischaracterized the reason for Sullivan obtaining the NDA from the hackers and said the real reason had to do with his wanting to ensure they would not release the sensitive data they had accessed.
Uber itself did not participate in the trial, and neither did Kalanick.
At the sentencing, Judge Orrick noted he had received 186 letters from Sullivans peers, friends, and family —some arguing for leniency and others calling for prison time. One of the letters calling for a probation apparently was from Kalanick.
Avishai Avivi, CISO at SafeBreach who wrote for Dark Reading on the
takeaways for CISOs from the breach,
 calls Judge Orricks sentence well-balanced and appropriate.
Judge Orrick took into consideration the many letters in support of Mr. Sullivans long-term contribution to the public and the information security field in particular, Avivi says. Judge Orrick did note that the former Uber CEO Travis Kalanick was just as culpable as Joe Sullivan.
Avivi says this is a good time for organizations to reaffirm the central role CISOs play in companies and to realize the cybersecurity buck stops with them. Also important is for the CISO to create and put in place a contingency plan before they get breached, to minimize the financial and operational fallout when they do.
Christopher Hallenbeck, CISO, Americas at Tanium, says the key takeaway here is that breach response is a team sport that involves multiple executives. Not reporting a breach is bad enough, but hiding it is worse, he says.
For various historical reasons, CISOs took on this task of keeping things quiet while trying to fix the issue themselves, Hallenbeck notes. If youre asked or pressured to act unethically or possibly illegally, be prepared to walk away and/or blow the whistle.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Judge Spares Former Uber CISO Jail Time Over 2016 Data Breach Charges