Former Uber executives may be jailed for concealing data breaches, how should companies respond to hacker extortion?

On October 5, a U.S. federal court jury ruled against Uber’s former chief security officer, Joseph Sullivan, who tried to hide Uber’s 2016 data breach from the U.S. Federal Trade Commission (FTC). Sullivan was convicted of obstruction of justice and concealment, and could face up to five years in prison and up to three years in prison.

According to the New York Times, this is the first case in the United States in which a corporate executive faces criminal prosecution for hacking. But multiple security experts believe that Uber may not be the only company to hide the data breach, in fact, the behavior of paying ransom to hackers is not uncommon. Still, the ruling could change the way corporate security professionals deal with data breaches.

Sullivan’s tenure as chief security officer involved two data breaches at Uber in 2014 and 2016

Sullivan was hired as Uber’s chief safety officer in April 2015. A month after he took office, the FTC filed a civil investigation request against Uber over the 2014 data breach. The incident involved unauthorized access to the personal information of approximately 50,000 consumers, including names and driver’s license numbers. Sullivan was charged with describing the steps Uber is taking to keep customer data safe and testified under oath to the FTC on November 4, 2016.

Ten days after his testimony, on November 14, 2016, Sullivan learned that Uber had been hacked again. Hackers contacted Sullivan directly via email, saying they discovered Uber’s security breach and obtained digital keys, stole massive user data from Amazon’s cloud servers, including the records of about 57 million Uber users and 600,000 driver’s license numbers, for This extortion demands a large ransom.

Sullivan hid it, and didn’t disclose it to Uber users or any other agency, despite knowing it should be reported to the FTC immediately. After negotiations, in December 2016, Sullivan paid the hackers $100,000 in bitcoin, disguising the payment as part of a bug bounty program.

In exchange, both parties signed a non-disclosure agreement. According to the investigation, the hacker promised in the agreement not to disclose the data breach to anyone, and also made a false statement that “no data was obtained or stored.” In January 2017, the Uber security team found out the real identities of the two hackers and asked them to sign copies of new nondisclosure agreements under their real names.

Evidence suggests that Sullivan knew the hackers were attacking and extorting Uber while also attacking other businesses and obtained data from at least some of them. A later guilty plea filed by the hackers showed that after Sullivan helped cover up the attack on Uber, the hackers also targeted and extorted another business, lynda.com. Recently this company is doing disaster recovery to release the loss.

In the fall of 2017, Uber’s new management learned of and began investigating the 2016 data breach. Sullivan lied to the new CEO and outside lawyers, saying the hackers didn’t get the ransom until after they were identified, and tried to hide the extent of the information breach. Still, Uber’s new management moved forward with the investigation and publicly disclosed the matter to the FTC in November 2017. Shortly after the incident came to light, Sullivan was fired from the business.

In 2018, Uber struck a deal with the FTC, pledging to maintain a 20-year privacy program. In July 2022, Uber and U.S. prosecutors reached a settlement agreement, and prosecutors would not bring criminal charges against Uber. In exchange, Uber formally admitted responsibility for the 2016 data breach, paid $148 million to all 50 U.S. states, and pledged to “cooperate fully” in the case against Sullivan until a formal jury verdict on Oct. 5.

According to the website of the Northern District of California Department of Justice, the trial in the case took four weeks, and the jury of six men and six women took more than 19 hours to reach a unanimous verdict. Sullivan could face up to five years in prison for obstruction of justice and up to three years for concealment, with a final sentence to be determined at a later date. Sullivan is temporarily on bail pending sentencing.

Sullivan’s lawyer, David Angeli, disagreed with the verdict. He defended: “Mr Sullivan’s sole focus, in this incident and throughout his illustrious career, has been keeping people’s personal data safe on the internet.”

Judgment will make executives rethink how to handle data breaches

The prosecutors and FBI agents in charge of the case have made a clear message to the public that it is intolerable for business executives to hide data breaches.

“The message of this judgment is clear: the businesses that store customer data have a responsibility to protect that data and take the right steps when a breach occurs,” said Robert K. Tripp, the FBI’s San Francisco Special Agent in Charge. “The FBI and our government The partners will not allow rogue tech executives to put the personal information of American consumers at risk for their own personal gain.”

Stephanie M. Hinds, the U.S. Attorney in charge of the case, also said: “Tech companies in the Northern District of California collect and store large amounts of user data, and we expect these companies to protect this data and alert customers and authorities if it is stolen by hackers. We Executives who care more about protecting their own and their employers’ reputations than protecting their users will not be tolerated withholding important information from the public. When this behavior violates federal law, it can be prosecuted.”

However, will making it illegal to pay ransoms really stop business executives from covering up data breaches? Many experts are pessimistic about this.

Although this is the first cybersecurity ransom payment in the U.S., Uber may not be the only company doing so to cover up a data breach. Casey Ellis, founder of Bugcrowd, said Uber was not alone in using the bug bounty program to cover up data security issues that should have been disclosed by law.

Stephanie M. Hinds, the U.S. Attorney in charge of the case, also said: “Tech companies in the Northern District of California collect and store large amounts of user data, and we expect these companies to protect this data and alert customers and authorities if it is stolen by hackers. We Executives who care more about protecting their own and their employers’ reputations than protecting their users will not be tolerated withholding important information from the public. When this behavior violates federal law, it can be prosecuted.”

However, will making it illegal to pay ransoms really stop business executives from covering up data breaches? Many experts are pessimistic about this.

Although this is the first cybersecurity ransom payment in the U.S., Uber may not be the only company doing so to cover up a data breach. Casey Ellis, founder of Bugcrowd, said Uber was not alone in using the bug bounty program to cover up data security issues that should have been disclosed by law.

In Sullivan’s case, prosecutors argued that a nondisclosure agreement with the hacker was evidence of his involvement in the cover-up. However, according to The Washington Post, in the five years since Sullivan was fired, it has become customary for companies to pay the hackers ransoms — increasingly in the hundreds of thousands as the average payout exceeds the $100,000 Sullivan paid. Businesses are turning to security companies or insurance companies to process these transactions. “Paying hackers to ransom for vulnerabilities is actually more common than people realize,” said Michael Hamilton, founder of security firm Critical Insight.

The FBI has also said that prohibiting ransom payments does not actually prevent companies from doing so. Instead, it would give “extortionists one more stick to control their victims”. So, while formally discouraging the practice, the FBI said they would not hold those people and businesses accountable without violating Russia-related sanctions.

In fact, some security experts expressed sympathy for Sullivan. They argued that while what Sullivan did was not necessarily correct or perfect, there was no guarantee that it would not happen to him. How security executives should take personal responsibility for corporate decisions remains to be explored.

Still, the verdict is likely to change the way corporate security professionals deal with data breaches, such as how responsibility is assigned, the design of bug bounty programs, and more.

“This case will definitely make executives, incident responders and anyone else involved in deciding whether to pay or disclose ransoms think harder about their legal obligations,” said Brett Callow of security firm Emsisoft. “It’s not a bad thing. Right now, there is so much happening in the dark that a lack of transparency can undermine cybersecurity efforts.”