Monday, December 5, 2022 | Back issues
Courthouse News Service Courthouse News Service

Trial of ex-Uber security chief accused of concealing data breach goes to jury

Joseph Sullivan, former head of security at Uber, stands accused of concealing a 2016 data breach from authorities and obstructing an investigation by the Federal Trade Commission into Uber’s security practices.

SAN FRANCISCO (CN) — When Uber suffered a grievous data breach in 2014 that landed it in the crosshairs of the Federal Trade Commission, cybersecurity rock star Joe Sullivan was brought in to fix things.

Now the former chief security officer faces prison time for his handling of a very similar data breach that happened during the throes of the FTC’s investigation into the ride-hail giant's security practices. Prosecutors say Sullivan actively worked to keep the FTC from finding out about the second breach, putting his reputation as a luminary in the cybersecurity world over his obligation to report the breach to regulators.

“Why did he lie? The true story is it looked terrible for him,” Assistant U.S. Attorney Ben Kingsley told a jury at the close of a landmark obstruction trial closely watched by corporate security chiefs and legal departments nationwide.

Kingsley said Sullivan’s past history as a federal prosecutor who founded the U.S. Attorney’s cybercrimes unit meant that he knew the FTC would have wanted to be alerted when two hackers broke into Uber’s Amazon server and swiped the personal information of 57 million app users in the fall of 2016.

It was the same sort of breach the company had suffered just two years before, where a hacker stole the key to Uber’s Amazon secure storage service from a GitHub repository and used the key to access unencrypted customer information.

Kingsley said Sullivan had realized the breach "may play very badly based on previous assertions” he’d made in testimony to the FTC: that Uber had already solved the problem by encrypting customer data base backups, limiting access to Amazon S3 buckets full of customer data, and taking keys out of GitHub and storing them in a secure custom vault called Langley. Sullivan had testified about those upgrades just ten days before the 2016 breach.

But they hadn’t actually finished all that, and Sullivan knew it, Kingsley said. "You can see him realizing, ‘oh no this is exactly the sort of thing we told the FTC wouldn't happen anymore.'”

Kingsley said Sullivan decided to deal with the situation quietly, paying the two hackers $100,000 in Bitcoin through Uber’s white hat bug bounty program while continuing to help Uber’s in-house legal team negotiate a settlement that would bring the regulatory agency's investigation to a close.

"Anyone who knew about the FTC investigation would have known that the FTC expected to be told. This was no accident, it was deliberately withholding and concealing the information,” Kingsley said. “The defendant still needed a way to make this incident go away quietly in a way he wouldn't have to tell the FTC about it.”

But Sullivan’s defense attorney David Angeli said Sullivan made no effort to conceal the breach, and that he wasn’t trying to avoid public disclosure.

“In hindsight six years later, the government can try all it wants to second guess the decisions that Joe Sullivan and the team made while they were operating in that pressure cooker. They did the best they could with the hand they were dealt at the time, operating in the real world,” he said in his closing statement.

“At the end of the day, the evidence is clear that that team and Mr. Sullivan believed the users’ data was safe and the incident was not something that needed to be reported. There was no cover-up. And there was no obstruction.”

Angeli said prosecutors could not show that Sullivan took active steps to conceal the breach. “The mere failure to report a felony is not a crime,” he said, a line he would repeat several times. “The main legal issues are has the government has proven beyond reasonable doubt that Mr. Sullivan did things to cover up the 2016 incident, and proven beyond a reasonable doubt that he corruptly obstructed the FTC from finding out about it? The answers to these questions are emphatically no.”

Angeli said Sullivan may have held a second title as general counsel within the company’s org chart, but he had his hands full as chief security officer. “Uber's policies made clear that Legal was responsible for determining whether reporting was required and for any managing any contact with law enforcement,” Angeli said. "Sullivan already had a full plate, an overflowing plate.”

Sullivan faces eight years in federal prison on one court of obstructing the FTC's investigation and one count of misprision of a felony, or acting to conceal a felony from authorities. His fate now rests with the jury, which began its deliberations late Friday.

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.

Loading
Loading...