Uber's Ex-CISO Appeals Conviction Over 2016 Data Breach

Former Uber CISO Joseph Sullivan's conviction earlier this year on charges related to a 2016 data breach at the company should not be allowed to stand because it threatens the use of bug bounty programs among enterprise organizations, his lawyers argued in an appeal this week.

In a brief filed Tuesday with the US Court of Appeals for the Ninth Circuit, Sullivan's legal team described him as the victim of a "profoundly flawed" verdict that was based on tenuous theories about his responsibilities as the security chief at Uber.

'Profoundly Flawed' Decision

"Joe Sullivan used tools and strategies that all CISOs utilize to protect the data of hundreds of thousands of Uber drivers and was prosecuted for doing his job," said one his lawyers, Aravind Swaminathan of the Orrick law firm, in a statement. "If [the verdict] is allowed to stand, it's a precedent that threatens to take away a valuable tool that has helped security teams across all industries better protect their systems and puts Americans at much greater risk of being harmed."

A federal jury last October found Sullivan guilty of obstructing justice and misprision of a felony — or working to conceal it — in connection with a 2016 breach at Uber that exposed sensitive data of more than 50 million customers and 600,000 drivers.

The breach happened in the middle of an investigation by the Federal Trade Commission (FTC) of an earlier 2014 security incident at Uber involving the compromise of personal information belonging to some 50,000 individuals.

Prosecutors charged Sullivan, whom Uber hired as CISO after the 2014 breach, of withholding information about the 2016 incident from the FTC even as its investigators were scrutinizing the company's data security and privacy practices. The government argued that Sullivan should have informed the FTC of the 2016 incident, but instead went out of his way to conceal it from them.

Flawed Understanding of Bug Bounty Programs

Prosecutors also accused Sullivan of attempting to conceal the breach itself by paying $100,000 to buy the silence of the two hackers behind the compromise. Sullivan had characterized the payment as a bug bounty similar to ones that other companies routinely make to researchers who report vulnerabilities and other security issues to them. His lawyers pointed out that Sullivan had made the payment with the full knowledge and blessing of Travis Kalanick, Uber's CEO at the time, and other members of the ridesharing giant's legal team.

But prosecutors described the payment and an associated nondisclosure agreement that Sullivan's team wanted the hackers to sign as an attempt to cover up what was in effect a felony breach of Uber's network.

Following the jury verdict in May 2023, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation and 200 hours of community service and ordered him to pay a $50,000 fine.

Scapegoats for Security Failures?

Sullivan's fate struck a nerve with many peers and others in the industry who perceived CISOs as becoming scapegoats for broader security failures at their companies. Many argued — and continue to argue — that Sullivan acted with the full knowledge of his supervisors but in the end became the sole culprit for the breach and the associated failures for which he was charged. They believed that if Sullivan could be held culpable for his failure to report the 2016 breach to the FTC — and for the alleged hush payment — then so should Kalanick at the very least, and probably others as well.

It's an argument that Sullivan's lawyers once again raised in their appeal of the obstruction conviction this week. "Despite the fact that Mr. Sullivan was not responsible at Uber for the FTC's investigation, including the drafting or signing any of the submissions to the FTC, the government singled him out among over 30 of his co-employees who all had information that Mr. Sullivan is alleged to have hidden from the FTC," Swaminathan said.

The appeal similarly challenged the misprision conviction, arguing that it criminalized bug bounty programs, a practice that other organizations have made a fundamental part of their security strategies. Sullivan's lawyers argued that the former Uber CISO had leveraged the program effectively to get the two hackers to disclose how they had accessed the data and to get them to agree not to publicly release it.

Criminalizing a Commonly Used Tactic

The bug bounty program worked as it should have, the brief claimed. "Mr. Sullivan and his team fully resolved the 2016 incident through a Bug Bounty agreement," the appeal noted. "Two young men agreed to disclose the vulnerability, destroy a database of 600,000 drivers' license numbers they had downloaded, and not disclose the data or incident publicly," the brief said. "Uber paid a $100,000 reward and pursued no legal action. No data was ever exposed. No Uber user was ever injured. Mr. Sullivan and his team had done their jobs."

By characterizing what Sullivan did as a crime, the government in effect asked the jury to view the bug bounty agreement as a hush money payment and not as an effective way to mitigate security risks, the brief claimed.

"We aren't raising new legal arguments or evidence, since we are confined to the record," says David Chamberlin, managing director at Orrick, in comments to Dark Reading. "But the appeal does emphasize key legal limitations on when an individual can be held criminally liable for organizational decisions, actions, and inactions." It also adds "nuance on the importance of bug bounty programs and the uncertain factual settings and legal frameworks in which they operate."

The government's response is due by Nov. 9, and Sullivan will have an opportunity to respond to that by Nov. 30. Oral arguments in the appeals case are projected to start in the spring of 2024, and a decision won't happen until mid- to late 2024, Chamberlin says.