A Blog About FTC regulations and happenings
Former Uber Security Chief Convicted of Federal Charges Stemming From 2016 Extortionate Data Breach
Uber’s former Chief Security Officer, Joe Sullivan, was convicted of two federal charges—obstruction of justice and misprision of a felony—for his role in covering up an extortionate data breach in 2016, which compromised more than 50 million personal records of Uber drivers and passengers, while the Federal Trade Commission (“FTC”) was probing Uber’s privacy protections.
The San Francisco jury’s verdict marks a stunning development in the realm of cybersecurity and in-house legal representation, as Sullivan’s conviction is the first major criminal case brought against a corporate executive over an external data security breach. The prosecution was led by the San Francisco USAO’s office at which Sullivan once served as a federal cybercrime prosecutor. Since his tenure at his now-prosecutor’s office, Sullivan worked for Facebook, Uber, and Cloudflare as the top cybersecurity executive.
While there have been a variety of reports underscoring the first cybersecurity criminal case against a corporate executive, certain critical aspects of the incident have not garnered enough attention and are highlighted here.
Facts of the Uber Breach and Extortion
Hackers used a digital key Uber accidentally left exposed to access and download data from one of Uber’s Amazon Web Service’s (commonly known as AWS) repositories, from which the hackers extracted the unencrypted personal data of approximately 57 million Uber riders and drivers. With the data in their possession, the hackers emailed Uber anonymously describing the breach and demanding payment, to which Sullivan’s team responded by directing them to the Uber bug bounty program, noting the top payout under the program was $10,000. However, the hackers held the data ransom, threatening to leak it to the public unless they were paid “six figures.”
Negotiations ended with a $100,000 bitcoin payment and a promise from the hackers that they would not only delete the unencrypted data from their possession, but also refrain from publicly sharing that the incident occurred. Sullivan’s team used information about the nature of the hack to ascertain the hackers’ identities, which was used as leverage to prevent hackers from betraying the agreement. Importantly, part of the negotiated agreement included that the hackers sign a nondisclosure agreement that included a false “promise” that the hackers “did not take or store any data during or through [their] research,” which they did, hence the ransom. This was in an effort to keep the incident within the parameters of Uber’s bug bounty program—at least on paper. It would also help Uber avoid the negative publicity, and at least through a guise, associated breach notification requirements, as detailed below.
The negotiation, payment, and eventual concealment were not enacted solely by Sullivan and his team, however. Then-CEO of Uber Travis Kalanick and a lawyer on Sullivan’s team, Craig Clark, approved the strategy and concluded that it was not necessary to report the breach to authorities—in spite of an ongoing investigation by the FTC during the same period—so long as the hackers were identified and agreed to delete the data. Others were informed of the incident, too, including Uber’s chief privacy lawyer—who, according to the Washington Post, was overseeing the response to the FTC investigation stemming from a major breach in 2014—and the head of the company’s communications team.
When Uber came under new management in 2017, Sullivan minimized the extortion as a mere routine bug-bounty payoff, editing from an email the true amount paid and hiding from Uber’s new (and current) CEO, Dara Khosrowshahi, the fact that the data was unencrypted. Under states’ data breach laws, the loss or disclosure of unencrypted personal information generally triggers mandated data breach reporting. After internal investigations exposed the true nature of the breach, Uber fired Sullivan and the Company disclosed the incident to the public and to the FTC.
Following Uber’s disclosure, the FTC withdrew its original draft complaint and consent order that came out of the 2016 investigation that elapsed over the time at which the incident occurred. In October 2018, the FTC, Uber, and several state attorneys general negotiated a revised complaint and consent order. Under this 2018 agreement, Uber paid $148 million to settle all claims arising from the incidents which now included the 2016 extortionate breach. Additionally, Uber was required to implement a comprehensive privacy program and for 20 years obtain biennial independent, third-party assessments, which it must submit to the FTC in order to certify that requirements are met.
Cyber Cover-Ups, Surprisingly Common?
Cybersecurity incidents of a sort similar to the Uber extortionate breach occur routinely. Security firms and insurance companies now specialize in handling these incidents; the founder of security firm Critical Insight, Michael Hamilton, even analogized them to a fender-bender. Additionally, while the practice is officially discouraged by the FBI, leaders in the FBI have stated that people and companies who pay ransoms will not be pursued unless sanctions against named criminal groups, especially those with ties to the Russian government, are violated. An underlying presumption therein is that the practice is common even if not publicly recognized.
The instructive difference in the Sullivan case is that Uber was, at the time of the incident, under investigation by the FTC because of cybersecurity breaches of a similar nature. Indeed, both charges hinge on this fact.
With respect to the first charge, Sullivan was found to have violated 18 U.S.C. § 1505, which constitutes an “Obstruction of Proceedings before a Department or Agency of the United States.” Without the FTC’s investigation, there would have been no proceeding for Sullivan to obstruct. In otherwise cooperating with the FTC’s investigation, Sullivan approved responses to queries that contained information he knew was false concerning Uber’s communications, and Uber’s cybersecurity incidents and practices.
With respect to the second charge, misprision of a felony, the jury found that Sullivan worked to actively conceal the extortionate data breach (i.e. a felony) from the FTC while the agency was investigating Uber about incidents of this exact nature and seeking relevant information regarding Uber’s cybersecurity protections and measures. A critical aspect to the misprision charge is the false “promise” made under the NDA in the attempt to deceitfully legitimize the breach and payment as occurring within the bounds of Uber’s bug bounty program when the hacker’s extortion efforts establish otherwise. As 18 U.S.C. §4 states: “Mere failure to report a federal felony is not a crime. The defendant must also commit some affirmative act designed to conceal the fact that a federal felony has been committed.”
The essence of Sullivan’s prosecuted misconduct was not that he failed to report a felony or even that the hackers were paid for their silence while compromising the safety of the data under his direction. Instead, it was that in his doing so he affirmatively interfered with the FTC’s ongoing investigation into Uber by trying to conceal the fact that the felony ever occurred at all.
New Federal Developments Combat Cyber Incident Cover-Ups
As discussed above, extortionate breaches with payoffs are seemingly widespread, just not publicly so. Two large federal cybersecurity measures address the issue straightforwardly, although they are still being implemented:
First, a law passed as part of the $1.5 trillion government funding bill—H.R. 2471, “Consolidated Appropriations Act, 2022”—signed into law by President Biden in March 2022 imposes new cybersecurity reporting requirements. The law requires companies in critical sectors such as health care, finance, energy, transportation, and others to report substantial cyber incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) within three-days of the occurrence. Such a change will provide important information into how many and what sort of cyberattacks are being leveled against companies in these industries in the United States.
Second, the Securities and Exchange Commission (“SEC”) published new rules for how and when publicly traded companies must disclose significant cyber breaches to the public. These rules enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies. This naturally necessitates that companies have a documented data and cybersecurity program as well as other protections to meet risks posed by cyber-threats in addition to the general reporting obligations regarding cybersecurity incidents.
The FTC Holds Corporate Officers Accountable
Finally, the FTC has signaled that it will use its authority to hold corporate officers (in addition to their companies) responsible for data security failures and has taken action to further these goals.
For instance, the FTC recently filed a complaint against an online alcohol marketplace called Drizly, which is a Boston-based subsidiary of Uber, and its CEO James Cory Rellas. The FTC alleged that the company’s security failures led to a data breach that left the personal information of around 2.5 million consumers exposed. As in the Sullivan case, personal consumer data was accessed through an AWS repository, which, in the Drizly case, was caused by hackers gaining access to the personal repository access accounts of an employee from an unsecured platform.
The FTC claims that two years prior to the breach Drizly and Rellas were made aware of the security issues that were behind the exposure, but failed to take the necessary steps to protect the data. The FTC specifically alleges that Drizly and Rellas failed to implement basic security measures, stored critical database information on an unsecured platform, neglected to monitor their network for security threats, and exposed customers to hackers and identity thieves.
Notably, the enforcement actions—which require limitations on future data collection, the destruction of unnecessary data, and the implementation of a rigorous information security program— apply not only to Drizly but also to Rellas, even if he decides to leave the company. As the FTC noted:
“In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. This action is part of the FTC’s aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures.”
As the Uber case illustrates, companies and corporate officers must tread carefully when dealing with cyber incidents, particularly in the context of ongoing investigations. Prosecutors and federal agencies expect organizations and their officials to protect personal data, and to have procedures in place for prompt, accurate reporting of cyber incidents such as data breaches.
 Two of the three hackers were later arrested and pleaded guilty to hacking charges.
 It should be noted that Craig Clark was offered immunity in exchange for testifying against Sullivan.
 18 U.S.C. § 4.