The federal trial of a former
Uber Technologies Inc.
executive over a 2016 hack has raised concerns among cybersecurity professionals about the liability they might face as they confront attackers or seek to negotiate with them.
Joseph Sullivan, the former executive, is facing criminal obstruction charges in a trial that began Wednesday in San Francisco for his role in paying hackers who claimed to have discovered a security vulnerability within Uber’s systems.
Federal prosecutors have charged Mr. Sullivan with criminal obstruction, alleging that he helped orchestrate a coverup of the security breach and sought to conceal it to avoid required disclosures.
Mr. Sullivan has pleaded not guilty to the charges, and his attorneys say the company paid the hackers through legal “bug bounty” channels. A bug bounty is an arrangement used by many companies in which they pay external researchers who find security vulnerabilities within their systems.
The case has captured the attention of many peers of Mr. Sullivan, a former federal prosecutor who worked at
and was a well-respected figure in security circles in Silicon Valley. He is presently chief security officer at internet company
where he is currently on leave. Some of Mr. Sullivan’s peers said they view the case as a test of the potential criminal penalties they could face over security lapses or challenges that aren’t always black and white.
Decisions on how to respond to a cyber incident are almost always made by consensus with senior leadership and not unilaterally by a chief security officer, said Marc Rogers, senior director of cybersecurity for identity-verification company
“On the other hand, the CSO is the figurehead for security and is often the one on the hook,” he said.
Many top security officers believe that Mr. Sullivan did nothing wrong, said
formerly the chief security officer at
“Criminalization of the reporting decisions Joe made will not help to advance” the profession, he said. “This should be an open debate held across the security community, not in a court.”
Share Your Thoughts
What should be defined as a cybersecurity breach? Join the conversation below.
Security professionals face increasing threats from attacks by state-sponsored hackers and criminals around the world. In 2020, companies paid at least $692 million to purveyors of software called ransomware that allows attackers to shut down corporate networks until they receive payment, according to the blockchain analytics firm Chainalysis. And following the 2020 hack on software company
, investors filed a class action against the company and its executive management, including SolarWinds security chief Tim Brown.
The hackers who contacted Mr. Sullivan downloaded about 57 million records, many of them containing private data, and demanded a $100,000 payment. Mr. Sullivan’s team treated the incident not as a data breach but as an example of security researchers reporting a bug, according to court records. Companies spend about $100 million a year on bug bounty programs, according to an estimate by Bugcrowd Inc., which helps set up these programs.
Uber eventually made the hackers enroll in the company’s bug bounty program, used by security researchers to report flaws for payment, and paid them the $100,000 in bitcoin. Before they were paid, the hackers had to sign a nondisclosure agreement attesting that they had destroyed the data in question, according to plea agreements signed by the hackers.
Prosecutors have argued that the nondisclosure agreements were part of a campaign to cover up the incident.
Security experts and law-enforcement officials say that while all U.S. states have breach notification laws, it is common for companies to keep quiet about some security incidents, especially if the evidence that data was misused is hard to find. But in late 2016, Uber was in an unusual position. The Federal Trade Commission was investigating an earlier security incident at Uber. Prosecutors say that by not telling the FTC about this second hack, Mr. Sullivan broke the law.
“This is a case about coverup, about payoff and about lies,” said Andrew Dawson, a Justice Department attorney, during opening arguments in court Wednesday.
In 2019, two of the men who downloaded the data—Brandon Charles Glover and Vasile Mereacre—pleaded guilty to hacking and extortion charges. Mr. Sullivan was fired by Uber in November 2017 and charged in 2020 with obstructing the FTC’s inquiry. Reached Wednesday, an Uber spokesman declined to comment on the trial.
On Nov. 14, 2016, the hackers initially wrote to Uber saying that they had found a vulnerability in the company’s website and they demanded that Uber provide “high compensation” for their work.
More than 30 other Uber employees, including then-Chief Executive
and the company’s legal team, were involved in Uber’s response to the incident, according to David Angeli, Mr. Sullivan’s attorney. Communications with the FTC were handled by the company’s legal department and not Mr. Sullivan, Mr. Angeli said in court Wednesday.
The Uber lawyer advising the team told them that the matter could be treated as a bug bounty and wasn’t a reportable data breach if the hackers deleted the data and signed a nondisclosure agreement, Mr. Angeli said.
The nondisclosure agreements allowed Uber and Mr. Sullivan to find the hackers. To sign the NDA, Uber used software called Adobe Sign, which recorded an “electronic fingerprint” allowing the company to find the attackers, Mr. Angeli said.
The hackers promised to delete all data and signed confidentiality agreements following the breach. But, a third person, identified as Individual One in court records, also had access to the data, according to a plea agreement signed by one of the hackers.
“We requested that Individual One delete his copy, which he said he would do, but I cannot be certain that he did,” the hacker, Mr. Glover, said in his plea agreement.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8