Joseph Sullivan, Joined Uber in Spring of year 2015 as its first CSO. This was the time when Uber was experiencing multiple safety and security issues. Sullivan graduated from Matignon High School in 1986, earned his Bachelor of Arts degree at Providence College in 1990, and graduated from the University of Miami School of Law in 1993. His primary focus at Uber was to cater for the safety of people who were using the business of both the riders and drivers, and both in the digital space and in the physical world. He was fired from Uber in November of 2017 for alleged covering up a major data breach by beans of a hack on the system in 2016, and also illegitimately paying up to the hacker; which Sullivan said that it was a conscious decision after consultation with the Legal Team at Uber.
On 05 October 2022, a federal jury found Joseph Sullivan, Uber’s former chief security officer, guilty of obstruction of justice and misprision of a felony for the act done in 2016 by him. He is currently awaiting sentencing which may range from 24 to 57 months in prison. As per US statutory the punishment for the act of crime in this case can be a maximum sentence of five years in prison on the obstruction count and three years in prison on the misprision of a felony count.
The Fact of the Incident
- In early 2016, there had been a hack that resulted in a data breach involving the compromise of approximately 57 million personal records of Uber, which included the data pertaining to the drivers and passengers of Uber.
- This incident had occurred, during the time when Uber was already under investigation by the US Federal Trade Commission (FTC) for a separate but similar data breach that Uber discovered in September 2014 and reported to the FTC in February 2015.
- Joseph Sullivan was the CSO of Uber (from Apr 2015 to Nov 2017) when the subject incident of 2016 took place at Uber.
- Sullivan was heavily involved in Uber’s response to and settlement negotiations regarding the FTC’s investigation of the 2014 breach.
- On 14 November 2016, a set of separate hackers had used a proton email account to inform the CSO of Uber, that they had breached Uber’s AWS S3 bucket and downloaded database backups containing millions of personal records.
- Just 10 days before learning of the 2016 incident, Sullivan had provided sworn testimony to FTC staff on the 2014 incident and Uber’s security program.
- Neither Sullivan nor anyone else at Uber involved in the incident response disclosed the 2016 incident to the FTC.
- The hackers of the 2016 episode did provide samples of the data they had stolen and demanded to be paid, for its return.
- The hackers of the 2016 episode, threatened to release the data online and publicly out Uber as having suffered a massive data breach.
- Sullivan is said to have provided the details of the 2016 hack and data breach incident to the Uber CEO Travis Kalanick.
- The CEO Of Uber, and the in-house Legal Team of Uber and other potentially affected individuals, is said to have decided not to disclose the matter in public and to the FTC, and had decided to enter into negotiations with the Hacker Team.
- Further, Sullivan worked with Uber’s then-CEO, an in-house lawyer, and others on the security team to supervise the negotiations and also arrive at an agreement under which Uber would pay the hackers $100,000 in bitcoin.
- To mask the complete payment activity a ‘Bug Bounty’ program, in the guise of dealing with the hackers was announced.
- Sullivan and Team, also carried out allied activity with an attempt to craft a narrative that would allow them to claim that no reportable data breach of personal information had occurred.
- Subsequently, based on the negotiations and the dealing, Sullivan and others paid the hackers through Uber’s formal bug bounty program.
- Though, the complete narrative and the company corporate policy found to not fit squarely into Uber’s bug bounty program parameters, the Team at Uber went into more non-recorded means. For instance, the hackers were clearly attempting to extort a payment by threatening to expose the breach and the contents of millions of personal records contained in a database backup they now possessed. They were seeking a payment that was much higher than the $10,000 cap.
- Here again, Uber, without knowing the hackers’ true identities, required them to sign a nondisclosure agreement drafted by Sullivan and Uber’s in-house lawyer that included a false “promise” that the hackers “did not take or store any data during or through [their] research”.
- Things did not stop there; in January 2017, an Uber security team member determined the true identities of two of the three hackers, located them, and had them sign new versions of the false nondisclosure agreement in their true names.
- In November 2017, Uber is taken over by a new management, this includes the CEO and CSO.
- The new management team disclosed the 2016 incident publicly and to the FTC.
- This disclosure by the new management caused the FTC to withdraw a draft complaint and consent order that it had negotiated with Uber regarding the 2014 breach and its security program. (A revised complaint and consent order were negotiated and approved by the FTC in October 2018 as part of a $148 million settlement between Uber, the FTC and all state attorneys general.)
- An Investigation on the management/handling by Uber of the 2016 incident was announced by the US Government.
- In August 2020, the US Department of Justice announced criminal charges against Sullivan for obstruction of justice. The criminal complaint said Sullivan arranged, with CEO Travis Kalanick’s knowledge, to pay a ransom for the breach as a “bug bounty” to conceal its true nature, and to falsify non-disclosure agreements with the hackers to say they had not obtained any data. Sullivan, while being tried by the FTC and in pursuant to the complete investigation, in December 2021 had to face additional charges.
Events that also catalysed the charges against Sullivan
- This fact that the incident of 2016 at Uber had actually occurred, and also for reasons that the same was not disclosed to authorities including US FTC, who were investigating and hearing the Cyber Breach on Uber in 2014, cannot be ignored and shall be taken into cognisance.
- The fact that Sullivan as CSO/CISO was directly involved in the hearing at the FTC and he being responsible for any such Security breach is well understood to be responsible for any omissions and commissions.
- Sullivan had briefed the FTC staff on remediation and improvements to Uber’s security program for the 2014 incident, and that he inaccurately claimed that he had completed and would prevent the reoccurrence of a breach targeting the same vulnerabilities.
- Sullivan misrepresented key facts to minimize his actions and blamed the in-house lawyer whom he supervised for failing to disclose the incident.
- The use of ‘Bug Bounty’ Program as a means to extract money from the Uber Accounts, for payment to unauthorised ‘Hackers’, for a purpose other than the one for which approvals were taken on books.
- The negotiation with unknown people, and that these elements demanded more than the amount negotiated as pay-out.
- The payment to the attackers was not only to prevent the release of the stolen data but also was to negotiate, to buy the hackers’ silence, which is a gross misconduct against corporate ethics.
- This act by Uber and the Team was at a time when the federal and state governments were in a process of adopting more aggressive policies focused on cybersecurity and white-collar compliance.
- The fact that as CISO/CSO at Uber, Sullivan, did not divulge the details of the cyber-extortion incidents and the perpetrators and extortioners to appropriate authority.
- Sullivan, being answerable for all aspect of a Cyber Breach, that occurs at Uber, did not keep the records of his discussions and decisions thereof on the internal meetings and directions pertaining to the incident of 2016.
- The fact that the criminals who may be involved in incidents of such nature, may be ‘Day Lighted’ some day or the other.
- Incidentally, two among the three hackers (Brandon Charles Glover (age 26, of Florida) and Vasile Mereacre (age 23, of Toronto)) who had executed the 2016 hack on Uber were caught by the US investigators and LEA on separate counts.
- During their interrogation, on 30 October 2019, the two hackers – Glover and Mereacre – pled guilty to conspiracy to violate the Computer Fraud and Abuse Act in connection with the 2016 incident at Uber. Glover and Mereacre admitted that they had hacked into Uber’s AWS S3 bucket, stole the database backup containing millions of personal records and extorted Uber into paying $100,000 in exchange for their execution of the false nondisclosure agreement.
Five (5) Key Takeaways for CISOs/CSOs as a fall-out of the incident at Uber
This incident at Uber is marked as the first criminal conviction of a senior executive for obstructing a regulatory investigation into cybersecurity program compliance and concealing a cyber incident from regulators in the US. India, also has such laws in place; as listed in the IT Act, and also the NCIIPC Regulations, and also through meaningful interpretations of the relevant sections of Criminal Procedure Code (CrPC) and Indian Penal Code (IPC).
There are many issues and implications to unpack in the Sullivan case. Based on Post-Incident analysis, that ensured from the Uber Cyber Breach of both the incident of 2014 and that of 2018; “Cyber Secure India”, brings out Five (5) major or key ‘Takeaways for CISOs/CSOs’ (Indian CISOs/CSOs in particular), so that they do not land up in the plight in which Joseph Sullivan is today in:
- Be aware of the Laws of the Land (including that of India) and also those Laws/Regulations/Guidelines that is part of the Business Continuity of the Organisation- India’s Information Technology Act 2000 (ITA) is an exhaustive and deterrent law, that can be used for any such acts of violation in terms of Cyber aspects are concerned. The use of IPC in conjunction with ITA can be used for any act that is against the Rule of Law and for Jurisprudence in the Cyber World. Personal and confidential information is protected under the Information Technology Act 2000 (ITA) and the IT Rules. India’s Central (even the State) Government has ratified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (DP Rules) under the ITA, to govern entities that collect and process sensitive personal information in India. The Constitution of India guarantees the right to privacy to all citizens as part of the right to life and personal liberty under Articles 19 and 21, and as part of the freedoms guaranteed by Part III of the Constitution. The demand for digital transformation in the corporate ecosystems and involvement of Government in India in the creation of laws on personal data protection and also provides protection of the same, is also a matter that cannot by the CISOs. Ministry of Electronics and Information Technology (MeitY), Government of India has issued vide its order No. 6(12)/2017-PDP-CERT-In dated 14/03/2017, a consolidated document on “Key Roles and Responsibilities of Chief Information Security Officers (CISOs)”. With regard to, Critical Information Infrastructure (CII) or Critical Infrastructure (CI), Section 70 of the IT Act has provided for the essential safeguard. The formation of NCIIPC under Government of India, has also provided rules of governance and has provided mandate for such CISOs who manage CII/CI.
- Legacy Knowledge of the organisation or corporate or Office, that one is to take over (including litigation and Legacy Cyber Incident and response)- Cyber Incidents are part of Corporate or Organisational Routine. The CISO on assuming the appointment need to perform the essential Knowledge Transfer from the incumbent or create the repository to perform Continuity of Cyber Security Management in the Orgainsation. Civil and criminal litigation, as well as regulatory inquiries, are increasingly following from cyber incidents in India. Incident responders should operate with an understanding that they and senior executives may become key witnesses or even parties, and that response materials and communications are likely to be the key exhibits where the Judiciary or Regulators are involved. CISO also should understand that, they are directly responsible to the Government of the Land and also to the Regulators or to the Citizen/Subscribers at large. It is also to be understood by CISOs that legal privilege does not always apply, or may be waived, as to particular documents and communications created in the incident response process. Failing to disclose a data breach is also a crime (as per latest CERT-India Orders). Further, obstructing a regulatory investigation into a cyber incident and actively concealing an incident from regulators seeking information about the incident or the company’s security posture can be termed as an even grave crime. CISOs also need to remember that concealment or obstruction will lead to serious victimization of other persons or entities by cyber criminals, and the offence can also be held culpable in the eyes of ‘Law of Natural Justice’ (even in the absence of an enacted Law).
- Regular Audit and Security Measures to include Investment into Cyber Security Measures- The first question that one can contemplate, then it comes to security and the teeth that a CISO has while managing the organisation is: where does he belong in an org chart? Regular Audit and openness to external scrutiny should be inculcated as a habit among CISOs. The Cyber Drill of regular Risk Assessment and prioritising procurement of assets and putting in place policies and procedures is a regular activity that a CISO needs to follow. Investigation into incidents should not be swept under the carpet, and where essential Government Entities need to be informed appropriately and timely. As a CISO if you or your organization is under active investigation by a governmental agency, do not affirmatively attempt to conceal relevant, non-privileged information from the agency or those inside your organization who need to know (e.g., about security flaws or new incidents). You may need help evaluating and understanding the scope of the agency’s investigation and what affirmative obligations you have to provide information in response to open inquiries. Taking help from such agencies, should not be viewed as a point of lacking within the organisation or lack of competence of handling Cyber Incidents by the CISO.
- Training and Workshops as also employment of Third Party Legal/Security Consulting- Data Security initiatives by a CISO/Organisation, are one of those corporate balancing acts, and this should lead to all initiatives aligned with overall organizational strategy. As CISO, a deeper understanding of the business should be the core strength and inturn should make operational activities surrounding data security more effective. The need for training and conduct of review of ‘Employee Cyber Quotient,’ is also the duty of the CISO. The scope of being influential among the Management and Board is also within the ambit of the CISO. Emphasis on Security Spending in the encompassed spending budget of the organisation, should be aimed towards atleast a 30% of the total spending towards Cyber/ Digital Security measures.
- Truthful Reporting and Financial Probity in all dealings while as CISO/CSO- The CISO is previa to more than many aspects of the Company’s Business. The Ethics of Business cannot be alienated from the IT System of any organisation. The Cyber Incidents that come under the lens of the CISO, may be unpleasant and may also be against the most favoured among the CISO’s list of people. Yet, the CISO need to act with due diligence and be unbiased or act with zero favouritism. Further, the CISO may direct Non-Disclosures from interacting entities; hence there can be valid reasons to seek non-disclosure agreements with legitimate security researchers, and non-disclosure agreements are also still acceptable in connection with legitimate bug bounty activities or conduct of Risk Assessment or Hackathons, etc. The CISOs program policies and proper oversight should help ensure that these agreements are not used to conceal criminal activity. Last but not the least; the learning from the Uber Incident should drive a point to the CISO’s, that Financial Probity in all dealings is of utmost importance, more so when the CISO Office is directly involved in pay-outs. On the other side of the coin, organisations should expect to see increased whistleblower activity around cybersecurity programs generally and incident response activities in particular. If the intent of the CISO is malafide, this may lead to embarrassment to not only the organisation but to the CISO. On the same side of the coin, is the aspect of being ‘Day Lighted’; it may so happen that the perpetrator of an erstwhile hushed up incident may land up in the net of LEA, and then disclose the connivance done in the past.