You remember Joe Sullivan, don’t you? The former Uber CIO who went from dabbling his toes in hot water to becoming neck deep in it by mismanaging a breach of Uber’s network back in 2016. As you might recall, Uber was hit in 2014 with a cyber attack, where a vulnerability was exploited leading to a very large data breach. The Federal Trade Commission became involved and in 2016, Sullivan swore to FTC investigators that the vulnerabilities that lead to the breach had been fixed. Just 10 days after his testimony, imagine the surprise Sullivan encountered when Uber’s network was breached again, this time to the effect of 600,000 driver’s license numbers and other information from user and employee accounts. Hackers exploited the same vulnerability as the earlier breach.
Bug Bounty Vs. Ransom
Sullivan, according to court documents and testimony, made the decision to withhold that information from the FTC and numerous others. He then instead paid $100,000 from Uber to the hackers responsible to keep quiet about the hack and not sell the data on the open market and in fact, delete it. When found out, Sullivan justified his actions by calling the payment a “bug bounty”, and not a ransom. The FBI investigated, found the hackers who received the money, and used them as star witnesses in the government’s case against Sullivan, charging him with Misprision of a Felony and Obstruction of Justice under federal law. Sullivan pled not guilty, and contested the charges in a trial last fall. The jury convicted him on both counts.
Arguments for Sentencing
Fast forward to last week to Sullivan’s sentencing hearing. The Federal Prosecutor in the case, following the recommendation of the pre-sentence investigation called for 15 months confinement for Sullivan, an enhancement under the sentencing guidelines. They focused on Sullivan’s extensive cover up of the breach as justification of their sentence argument. Sullivan’s defense team countered by asking the court that he be granted probation instead of incarceration. The foundation for this argument was that Sullivan’s actions, even though he had been found guilty by a jury, were significantly mischaracterized by the government and even though he did several things wrong, he also showed reasonableness with some of his other actions surrounding the incident.
Differing Opinions in Cybersecurity Community
The judge in the matter, William H. Orrick, agreed in principal with the Sullivan team by granting him three years’ probation (in addition, he also received a $50,000.00 fine). The case has created a split in sentiment from the cybersecurity community, some strongly suggesting Uber leadership left Sullivan as a scapegoat, when in fact he was a martyr. Seven years of investigating, court proceedings and highly visible media coverage has finally (unless there is an appeal) ended, both parties are still arguing the devil’s details, and an ongoing debate of how Cybersecurity leadership is mistreated by company CEOs rages on.