Key takeaway: Don’t attempt to conceal a data breach. [293 words]
What: A federal jury in California has convicted former Uber CISO Joseph Sullivan for attempting to conceal a 2016 data breach that exposed sensitive account data belonging to some 57 million riders and drivers. The San Francisco jury found Sullivan guilty of obstructing justice by keeping knowledge of the breach from the FTC which at the time of the 2016 incident was investigating a previous Sept. 2014 data compromise at Uber. In addition to the obstruction charge, the jury also convicted Sullivan for misprision or deliberate concealment of a felony.
The DOJ’s case: Prosecutors alleged that Sullivan—a former cybercrime prosecutor and senior security executive at firms such as Facebook and Cloudflare—actively concealed details of the breach from the FBI even while responding to the agency’s inquiries about the prior breach. The prosecutors accused Sullivan of going to elaborate lengths to ensure knowledge of the breach was tightly limited. This included him paying $100,000 to the two hackers responsible for the breach to try to get them to keep quiet about the breach—and then trying to pass the payoff as a bug bounty. They alleged that an NDA he attempted to get the hackers to sign falsely represented the hackers had not accessed or stored Uber data during the intrusion. Uber fired Sullivan in 2017.
Why the verdict matters: The case is the first one where a senior security executive has faces criminal liability for a data breach. The verdict could fundamentally change how security executives handle data breaches, especially those involving ransomware payments.
More: