Former Uber CSO Convicted of Data Breach Cover-Up
What Precedent Does This Set?
Key Takeaways
- Several approaches can be taken to mitigate the effects when a company gets hit with ransomware.
- However, the former Uber CSO prosecution is an interesting development that other security professionals should consider when responding to an attack.
- In response to a ransomware hit, the Uber CSO covertly paid off the hackers, got them to sign a non-disclosure agreement, and swept the issue under the rug.
- While failure to disclose a data breach is not a crime, the U.S. Office of Attorney found the CSO guilty of obstructing a regulatory investigation and concealing an incident from regulators.
- If you’re considering a ransom payment after a data theft, notify law enforcement to prevent legal prosecution.
Hackers’ tactics are getting more sophisticated, and organizations are becoming challenging to keep up with. The threat further compounds as cybercriminals collaborate their efforts and receive backing from influential groups.
Maintaining a solid cybersecurity posture is difficult even if your company hires experts to monitor data security and confidentiality.
One of the biggest tasks for CSOs (Chief Security Officers) and other professionals is ransomware. While security professionals respond differently to a ransomware hit, the wrong approach could end up in ugly legal battles for the CSO. That happened to the former Uber CSO, Joe Sullivan, in 2016.
Uber’s 2016 Data Breach Cover-Up: What Exactly Happened?
On Oct 5th, 2022, a federal jury found Uber’s former CSO guilty of obstructing justice and covering a felony for his role in responding to the 2016 data breach. The data breach compromised approximately 57 million personal records of Uber passengers and drivers.
According to the New York Times, hackers sent Sullivan a notice informing him of the data breach. They proceeded to demand a ransom, failure of which they would release the information on Uber riders and drivers to the dark web and the public.
The Wrong Turn That Led to the Uber CSO’s Prosecution
To avoid drawing the attention of the Federal Trade Commission (FTC) on the matter, Sullivan, the then-CSO, reached out to Uber’s in-house legal team and CEO and notified them about the notice. The three parties agreed to negotiate with the hackers to delete the breached data and keep quiet about the matter.
Uber’s CEO at that time, Travis Kalanick, agreed that the company should proceed to negotiate with the criminals. The negotiation demanded the hackers sign a non-disclosure agreement (NDA) stating that they won’t disclose that they breached Uber’s network and stole data.
The negotiation further dictated that the hacker should destroy the data they exfiltrated — as if hackers always keep their word. In return, Uber would pay the hackers $100,000 in BTC and disguise it as an award for their “bug bounty” program.
A year after the cover-up, Uber fired Kalanick for unrelated issues and settled for Dara Khosrowshahi as the new CEO. When Khosrowshahi learned what happened, he fired Sullivan, notified the Federal Trade Commission (FTC), and assisted a U.S. attorney in building a case against Sullivan.
The new Uber CEO could have kept the information to himself, but he wanted to do things differently under his leadership. Consequently, Uber paid fines of up to $148 million for failing to disclose the data breach on time.
The Justice Obstruction and Misprision Charges
The U.S. Attorney’s Office charged Sullivan with obstruction of justice for failure to notify the government about the breach. However, such a failure is not a federal offense, so the jury charged him with two violations:
- Obstruction of proceedings
- Misprision of a felony
The law insisted that the former Uber CSO corruptly influenced the obstruction of proper administration of the law. On a misprision charge, the jury found Sullivan guilty of actively concealing a felony.
What Sullivan’s Conviction Means to CSOs
The work of a CSO or any security professional is challenging. CSOs are constantly pressured to keep their company up-to-date with rapidly increasing cybersecurity trends and threats.
However, the Sullivan guilty sentence adds another complex layer to the position of a Chief Security Officer. This means CSOs must be aware they can be personally held liable for their organizations’ decisions.
As the facts clarify, the former CSO notified the CEO and the internal legal team about the ransomware attack when it happened in 2016. All three parties agreed that negotiation would be the best approach. He went ahead with the plan, but six years later, he was the only one convicted for obstruction of justice.
Will the law approach all data breach cases like this? Many will argue no. However, while the incident is worth making note of, the case is unique because the former Uber CSO actively tried to hide the breach from regulatory bodies and officials. He failed to tell the government that hackers stole data from Uber’s network.
To Pay or Not to Pay: The Truth About Ransomware Negotiation
While the law discourages ransom payment, the tactic is common in many organizations — especially those with cybersecurity insurance policies that cover such attacks.
While the FBI discourages ransomware negotiation, it states that it won’t pursue businesses that negotiate and make payments to release their data from hackers. However, the hacker must not be involved with prohibited criminal groups — especially those with heavy Russian influence.
When Are Ransom Payments Necessary or Advisable?
Despite the risk of paying ransomware demands, there are circumstances where you cannot automatically rule out the option. Such scenarios include when:
- Critical infrastructure providing essential services to an organization is under attack, and the company doesn’t have enough time to restore operations or services.
- Hackers have accessed and stolen business-critical IP or other sensitive proprietary information, and its release might be extremely damaging.
- The company needs an exchange of decryption keys and vulnerability information to help them better understand the attack vector and prevent future occurrence.
Transparency Will Save You The Worry
There isn’t a straightforward answer to whether a business should pay a ransom when hit by ransomware. However, you must notify the proper regulatory bodies and authorities of the incident on time to avoid being in Sullivan’s position. After all, hiding a ransomware incident is nearly impossible, but lies and excuses won’t build goodwill with regulators and the client base.