[co-author: Bianca Evans]
On October 5, 2022, a federal jury found Joseph Sullivan, Uber’s former chief security officer, guilty of obstruction of justice and misprision of a felony in connection with his role in responding to a 2016 data breach involving the compromise of approximately 57 million personal records for Uber drivers and passengers. Prosecuted in the United States District Court for the Northern District of California, the case marks the first criminal conviction of a senior executive for obstructing a regulatory investigation into cybersecurity program compliance and concealing a cyber incident from regulators. The conviction comes at a time when federal and state governments are adopting more aggressive policies focused on cybersecurity and white collar compliance.
Sullivan, who once served as a federal cybercrime prosecutor in the U.S. Attorney’s Office that is prosecuting him and also held the title of deputy general counsel at Uber, faces a statutory maximum sentence of five years in prison on the obstruction count and three years in prison on the misprision of a felony count. The federal sentencing guidelines, which are not binding on the court, will likely range from 24 to 57 months (depending on whether certain enhancements are applied). A sentencing date has not been set.
Understanding what led to the prosecution and the issues it raises is essential for enhancing best practices and avoiding organizational or personal liability for cybersecurity and white collar compliance failures. We dig into the case a bit below and then provide some of our initial takeaways for organizations and individuals involved in cyber incident response.
- The Sullivan prosecution is an important development, but one we must keep in perspective. Some information security professionals are concerned that this case signals a monumental change in how we think about breach response and personal exposure to civil and criminal liability. Others may dismiss the case as a non-event, with no lessons to impart beyond its unique facts. We fall between these views and believe the outcome reinforces important principles that most incident responders are probably already following each day.
- Simply failing to disclose a data breach is not a crime. Obstructing a regulatory investigation into a cyber incident and actively concealing an incident from regulators seeking information about the incident or the company’s security posture can be a vastly different story.
- After attacking Uber, the individuals Uber paid went on to attack other companies. The Justice Department and regulators are more likely to pursue enforcement activity where false statements, concealment or obstruction lead to serious victimization of other persons or entities by cyber criminals.
- Bug bounty programs play a significant role in cybersecurity programs, but they should be used properly. Companies should feel confident in continuing to run these programs if they do so with appropriate policies and oversight.
- Civil and criminal litigation, as well as regulatory inquiries, are increasingly following from cyber incidents. Incident responders should operate with an understanding that they and senior executives may become key witnesses or even parties, and that response materials and communications are likely to be the key exhibits that win or lose a case. They also should understand that legal privilege does not always apply, or may be waived, as to particular documents and communications created in the incident response process.
On November 14, 2016, hackers used a proton email account to inform Sullivan that they had breached Uber’s AWS S3 bucket and downloaded database backups containing millions of personal records. In ensuing email communications, the hackers provided samples of the data they had stolen and demanded to be paid “six figures” under threat that they otherwise would release the data online and publicly out Uber as having suffered a massive data breach.
Based on testimony and evidence presented at trial, Sullivan worked with Uber’s then-CEO, an in-house lawyer, and others on the security team he supervised to negotiate an agreement under which Uber would pay the hackers $100,000 in bitcoin. In return, the hackers agreed not to post the stolen data online or otherwise publicly out Uber and to destroy any copies of the data they possessed.
This is where the fact pattern begins to diverge from those of many cyber-extortion incidents that have occurred in recent years. That is because Sullivan and his team paid the attackers not only to prevent the release of the stolen data but also to buy the hackers’ silence at a time when Uber was under investigation by the Federal Trade Commission for a separate but similar data breach that Uber discovered in September 2014 and reported to the FTC in February 2015. Sullivan was heavily involved in Uber’s response to and settlement negotiations regarding the FTC’s investigation of the 2014 breach. He had worked with Uber attorneys to draft responses to FTC interrogatories and data requests seeking information about the 2014 breach, any other security incidents Uber had detected, and Uber’s security program. He had briefed the FTC staff on remediation and improvements to Uber’s security program that he inaccurately claimed had been completed and would prevent the reoccurrence of a breach targeting the same vulnerabilities. Just 10 days before learning of the 2016 incident, Sullivan had provided sworn testimony to FTC staff on the 2014 incident and Uber’s security program.
Sullivan and others paid the hackers through Uber’s formal bug bounty program. They did so in an attempt to craft a narrative that would allow them to claim that no reportable data breach of personal information had occurred. The facts, though, do not fit squarely into Uber’s bug bounty program parameters. For instance, the hackers were clearly attempting to extort a payment by threatening to expose the breach and the contents of millions of personal records contained in a database backup they now possessed. They were seeking a payment that was much higher than the $10,000 cap Uber generally employed for the program. Without knowing their true identities, Uber required them to sign a nondisclosure agreement drafted by Sullivan and Uber’s in-house lawyer that included a false “promise” that the hackers “did not take or store any data during or through [their] research.” In January 2017, an Uber security team member determined the true identities of two of the three hackers, located them, and had them sign new versions of the false nondisclosure agreement in their true names.
Neither Sullivan nor anyone else involved in the incident response disclosed the 2016 incident to the FTC, the potentially affected individuals, or anyone at Uber other than the then-CEO, the in-house lawyer and others working under Sullivan’s close supervision. Instead, Sullivan continued to work with Uber’s legal team, including Uber’s then-general counsel, on the FTC investigation for another year without informing them of the 2016 incident. He commented on Uber’s communications with the FTC in settlement negotiations and approved supplemental interrogatory responses that contained information he knew to be false. When he was later questioned about the incident by Uber’s current CEO and external lawyers, Sullivan misrepresented key facts to minimize his actions and blamed the in-house lawyer whom he supervised for failing to disclose the incident.
In November 2017, Uber’s new management team disclosed the 2016 incident publicly and to the FTC. The disclosure caused the FTC to withdraw a draft complaint and consent order that it had negotiated with Uber regarding the 2014 breach and its security program. A revised complaint and consent order were negotiated and approved by the FTC in October 2018 as part of a $148 million settlement between Uber, the FTC and all state attorneys general.
On October 30, 2019, two of the hackers – Brandon Charles Glover (age 26, of Florida) and Vasile Mereacre (age 23, of Toronto) – pled guilty to conspiracy to violate the Computer Fraud and Abuse Act in connection with the 2016 incident. Glover and Mereacre admitted that they had hacked into Uber’s AWS S3 bucket, stole the database backup containing millions of personal records and extorted Uber into paying $100,000 in exchange for their execution of the false nondisclosure agreement. According to the U.S. Attorney’s Office, they also admitted that they hacked and attempted to extort another company after Uber paid them.
The Obstruction and Misprision Charges
Sullivan was not charged with simply failing to notify the government of a breach. Such a failure is not a federal crime. Instead, the jury found Sullivan guilty of two crimes: Obstruction of Proceedings before a Department or Agency of the United States (18 U.S.C. § 1505) and Misprision of a Felony (18 U.S.C. § 4). As relevant here, Section 1505 makes it a crime to corruptly influence, obstruct or impede “the due and proper administration of the law” (or to “endeavor” to do so) in any proceeding pending before any U.S. government department or agency. Section 4 proscribes the concealment of a felony by those who have knowledge of it and do “not as soon as possible make known the same to some judge or other person in civil or military authority under the United States.”
On the obstruction charge, the jury found Sullivan guilty of obstructing the FTC investigation that started before and was still active during the 2016 incident. Sullivan’s conviction is inextricably tied to the FTC’s active investigation of Uber at the time of the 2016 incident and the key role that Sullivan was playing in that investigation. Without the active FTC investigation, there would have been no proceeding to obstruct.
On the misprision (i.e., concealment) charge, the jury found Sullivan guilty of affirmatively acting to conceal the incident from the FTC when the agency’s staff sought information about such incidents and security controls from Uber. Emphasizing the active concealment element in its jury instructions, the court explained: “Mere failure to report a federal felony is not a crime. The defendant must also commit some affirmative act designed to conceal the fact that a federal felony has been committed.” The jury clearly believed that Sullivan concealed the hacking-facilitated extortion crime codified in 18 U.S.C. § 1030(a)(2)(C) & (a)(7)(B) (i.e., the underlying felony) from the FTC by engaging in the actions outlined above. Central to the finding, no doubt, was Sullivan and the immunized in-house lawyer’s drafting of a nondisclosure agreement that included a false “promise” that the hackers “did not take or store any data during or through [their] research.”
Some Initial Takeaways from the Sullivan Prosecution
There are many issues and implications to unpack in the Sullivan case. We plan to continue exploring them in the near future. For now, though, we offer some key points that we have noted at first blush.
Avoid active concealment of information about security incidents and ransom payments.
We begin with the obvious. If your organization is under active investigation by a governmental agency, do not affirmatively attempt to conceal relevant, non-privileged information from the agency or those inside your organization who need to know (e.g., about security flaws or new incidents). You may need help evaluating and understanding the scope of the agency’s investigation and what affirmative obligations you have to provide information in response to open inquiries. If you need help, get it.
Here are some other practical guidelines (these are general, not necessarily commentary on Sullivan’s actions):
- If you are considering a ransom payment in response to a data theft, encryption event or another criminal attack, consider these steps:
- Evaluate why you are making the payment. Is it to prevent the public release of sensitive data? To obtain recovery keys? Or to stop some other malicious activity (like a DDoS)?
- Notify law enforcement of criminal attacks, especially if you make a payment. This is already a best practice and consistent with OFAC sanctions guidance. Notifying a federal law enforcement agency or other agency (e.g., CISA) of an incident likely eliminates the possibility of a misprision charge.
- Evaluate and address your notice obligations under domestic and international breach notification laws, even if you pay. Failure to notify agencies under breach notification laws may not land you in jail but will create plenty of other headaches. Do not mistakenly assume that a ransom payment and an attacker’s “promise” to delete data eliminate your potential notice obligations.
- As an information security professional, do not affirmatively try to conceal facts about a security incident from internal or external stakeholders. At a minimum, this means do not delete or alter data, logs or other evidence to conceal evidence of a crime; do not pay, bribe, threaten or extort others to conceal evidence of a crime; and do not create documents that you know contain false information. This last one should be obvious but is worth including, as stressful times push people to do unusual things.
Ensure that Bug Bounty Programs Have Proper Parameters that Are Followed
When considering bug bounty payments:
- Ensure that you have a clear bug bounty policy in place that identifies authorized bug bounty activities and typical payments.
- Follow your established policies.
- Evaluate unusual bug bounty requests (or demands) carefully, and do not route extortionate or criminal activity through your bug bounty program.
- Ensure that your internal bug bounty procedures include a mechanism to route activity that may be extortionate or that may qualify as a data breach to the appropriate personnel for review and action.
- Use your bug bounty program to compensate legitimate security researchers reporting vulnerabilities in line with your program policies. Do not be too clever and try to use the bug bounty program to conceal evidence of a crime or a data breach. If you are not sure whether a particular activity is legitimate security research or criminal activity, ask for help.
- There are valid reasons to seek non-disclosure agreements with legitimate security researchers, and non-disclosure agreements are still acceptable in connection with legitimate bug bounty activities. Your program policies and proper oversight should help ensure that these agreements are not used to conceal criminal activity.
Is criminal enforcement against incident responders an aberration or a new “stick” in the government’s more aggressive cybersecurity compliance and white collar enforcement programs?
The Sullivan case should be considered in the context of the whole-of-government trend in cybersecurity policy toward more robust disclosure and reporting obligations. Recent activity by the White House, FTC, SEC, Treasury, DoD, DOJ, Congress and others demonstrates that law enforcement agencies and regulators expect more disclosures about cybersecurity programs and incidents, particularly those involving cyber-extortion attacks that can inflict injury on multiple victims. The Sullivan case is one part of that trend.
The case also hits on the hallmarks of the DOJ’s revised white collar policy on organizational liability for criminal conduct. That policy builds on prior “DAG Memos” by prioritizing individual accountability for corporate misconduct. It emphasizes that decisions on whether to prosecute an organization will rest heavily on past history of non-compliance, current compliance programming, and whether the organization provides timely and full self-disclosure of misconduct by individuals – including by waiving legal privilege.
Some of those policy positions are evident in the Sullivan case. Sullivan’s conduct became known only after new management took over at Uber. That new team investigated the conduct and decided to disclose it. Uber subsequently secured a non-prosecution agreement less than two months before Sullivan’s trial began. The government built its case against Sullivan on the testimony of Uber’s senior executives and employees (current and former) and the use of an array of incident response trackers, documents and communications that the government obtained from Uber and its cybersecurity service providers. Without those witnesses and exhibits, there is no criminal case against Sullivan.
On the other side of the coin, organizations should expect to see increased whistleblower activity around cybersecurity programs generally and incident response activities in particular. The DOJ’s Civil Cyber Fraud Initiative and related policies create significant incentives for employees and others to report organizational misconduct that may be otherwise undisclosed. The leveraging of such allegations – even if untrue – by disgruntled current or former employees is also becoming more common.