Appealing Justice: Uber’s Former Chief Information Security Officer Fights Conviction in Landmark Data Breach Case

Former Uber CISO Appeals Conviction in Data Breach Case

Former Uber Chief Information Security Officer (CISO), Joseph Sullivan, is appealing his conviction earlier this year on charges related to a 2016 data breach at the company. In a brief filed with the US Court of Appeals for the Ninth Circuit, Sullivan’s legal team argued that the verdict was “profoundly flawed” and threatened the use of bug bounty programs among enterprise organizations.

A Flawed Verdict, Say Sullivan’s Lawyers

Sullivan’s lawyers described him as a victim of a flawed verdict based on tenuous theories about his responsibilities as the security chief at Uber. They argued that he used tools and strategies commonly employed by CISOs to protect the data of Uber drivers and should not be prosecuted for doing his job. If the verdict is allowed to stand, they warned, it could undermine bug bounty programs, which have been an effective tool for security teams across industries.

The Background of the Case

A federal jury found Sullivan guilty last October of obstructing justice and misprision of a felony in connection with the 2016 data breach at Uber. The breach exposed sensitive data of over 50 million customers and 600,000 drivers. The incident occurred during an investigation by the Federal Trade Commission (FTC) of a previous security breach in 2014 that affected 50,000 individuals. Prosecutors claimed that Sullivan withheld information about the 2016 breach from the FTC, obstructing their investigation.

The Government’s Case Against Sullivan

Prosecutors also accused Sullivan of attempting to cover up the breach by making a $100,000 payment to the two hackers responsible for the compromise. Sullivan argued that the payment was part of a bug bounty program, a common practice where companies reward researchers who report vulnerabilities. His lawyers highlighted that the payment had the knowledge and approval of Uber‘s CEO at the time, Travis Kalanick, and the legal team. However, prosecutors described the payment as an attempt to conceal a criminal act.

Sullivan’s Sentence and Reaction in the Industry

After the verdict, Judge William Orrick sentenced Sullivan to three years of probation, 200 hours of community service, and a $50,000 fine. The case raised concerns among peers and industry professionals who saw CISOs as scapegoats for broader security failures within their organizations. They argued that if Sullivan was held accountable, then others, including Kalanick, should also face consequences for failing to report the breach.

An Attack on Bug Bounty Programs?

Sullivan’s appeal challenges not only his conviction but also the potential criminalization of bug bounty programs. Bug bounty programs have become a widely accepted practice in the cybersecurity community, with many organizations using them to identify and fix vulnerabilities. Sullivan’s lawyers argue that by characterizing Sullivan’s actions as a crime, the government risks undermining the effectiveness of bug bounty programs in addressing security risks.

The Effectiveness of Uber‘s Bug Bounty Agreement

Sullivan’s legal team maintains that the bug bounty program he implemented effectively resolved the 2016 breach. The agreement resulted in the hackers disclosing the vulnerability, destroying a downloaded database of 600,000 drivers’ license numbers, and committing not to disclose the incident or data publicly. Uber paid a $100,000 reward, took no legal action, and ensured no user data was ever exposed. According to Sullivan’s lawyers, the bug bounty agreement was a legitimate and successful method of mitigating security risks.

The Legal and Factual Framework of Bug Bounty Programs

The appeal raises important legal questions regarding when an individual can be held criminally liable for organizational decisions, actions, and inactions. It also emphasizes the nuanced nature of bug bounty programs and the uncertain legal frameworks in which they operate. David Chamberlain, managing director at Orrick, clarified that the appeal does not introduce new legal arguments or evidence but rather emphasizes existing limitations.

The Path Forward

The government has until November 9th to respond, and Sullivan will have an opportunity to reply by November 30th. Oral arguments in the appeals case are expected to begin in the spring of 2024, with a decision likely in mid- to late 2024.

Conclusion: Balancing Accountability and Innovation

The case against Joseph Sullivan, the former Uber CISO, raises important questions about the accountability of security executives in the face of data breaches. While it is crucial to hold individuals responsible for their actions, it is equally important to strike a balance that does not deter the adoption of innovative security practices.

Sullivan’s lawyers argue that bug bounty programs are a valuable tool for organizations to identify and fix security vulnerabilities. Criminalizing such practices could discourage organizations from implementing effective security programs and hinder collective efforts to create safer digital environments.

As technology advances and new threats emerge, it is crucial that legal systems adapt to ensure justice while fostering a climate of innovation. The outcome of Sullivan’s appeal will provide an opportunity to consider the legal frameworks around bug bounty programs and the appropriate allocation of responsibility in cybersecurity incidents.