Uber Ex-CSO's Trial: Who's Responsible for Breach Reporting?While Joe Sullivan Is Accused of Perpetrating Cover-Up, Where Should the Buck Stop?
Should the CSO of Uber have reported a security incident to authorities after discovering signs of unusual behavior?
See Also: Threat Horizons Report
That's one of the big questions now being asked in the trial of Joe Sullivan, a Silicon Valley stalwart who in 2020 was charged with four years earlier hiding a big breach at the ride-hailing service Uber. He's also been accused of obstructing a government investigation and charged with wire fraud.
Sullivan vigorously denies the allegations.
His trial began Sept. 7 in San Francisco and is being closely watched by the cybersecurity community. It's the first time a CSO or CISO has ever faced charges over a data breach. Typically they just get fired (see: Implications for CSOs of Charges Against Joe Sullivan).
Written communications show that Sullivan briefed then-Uber CEO Travis Kalanick about the incident and appeared to have also identified to him the data exposure. In a text message, Kalanick responded to Sullivan: "Need to get certainty of what he has, sensitivity/exposure of it and confidence that he can truly treat this as a [bug emoji] bounty situation … resources can be flexible in order to put this to bed but we need to document this very tightly."
Here are some questions cybersecurity professionals have been asking:
- Could security professionals be held personally liable for future breaches that they fail to report to authorities?
- Did Sullivan err by not ensuring that the data breach came to light publicly - even if he had to turn whistleblower?
- Was this an unfortunate series of events in which Sullivan was retroactively snared as Uber attempted to clean up its image?
So-Called Bug Bounty
Uber's big 2016 security breach resulted from two individuals using stolen credentials to access Uber's GitHub site, where they found Amazon Web Services credentials that enabled them to access an Uber backup file stored on Amazon's S3 storage service, which contained the 57 million rider and driver details. The two men contacted Uber in November 2016, demanding $100,000 for details of what they'd done.
In December 2016, Uber paid the men $50,000 each via its HackerOne bug bounty program, after they signed a nondisclosure agreement promising to delete the data. They subsequently pleaded guilty to extorting and hacking multiple organizations, including Uber and LinkedIn.
In November 2017, Uber belatedly issued a data breach notification. As a result of the delay, it reached a $148 million settlement agreement with U.S. states and paid U.K. and Dutch data protection authorities more than $1 million in fines.
Two months ago, Uber admitted to covering up the breach, as part of an agreement with the Department of Justice to resolve its criminal probe of the breach and failure to report it to the Federal Trade Commission. Uber also agreed to continue assisting the government's prosecution of Sullivan.
How the Government Can Cry Cover-Up
The government's charges against Sullivan involve him having been designated as the officer who would provide sworn responses to the government's questions as it probed a previous data breach at Uber.
Sullivan was hired in the spring of 2015. Prosecutors say that the 2016 breach came to light only days after Sullivan had provided sworn responses to the FTC about Uber's security program. They allege that he should have immediately updated regulators about the security incident and that by not doing so, he perpetrated misprision - knowingly covering up a felony.
Sullivan indicates he believes the Uber legal department was responsible for determining what, if anything, got communicated externally and how.
When it came to informing others about a security incident, "If we couldn't contain, it's legal's job to decide," Sullivan in late September 2017 told an attorney who was part of a team hired by Uber's board of directors to review the security incident, Courthouse News Service reported.
The attorney, Randall Lee, told the court on Tuesday that his notes show that Sullivan had also told him that "my assumption was they would conclude yes" and report the breach, although it "depends on where the users are," in reference to whether or not they might be in Europe, and thus protected by the General Data Protection Regulation.
Where Does the Buck Stop?
The trial highlights questions about where the buck stops in a company's breach response and what the legal team's responsibilities are. Ian Thornton-Trump, CISO of Cyjax, says via Twitter that his experience is more that legal offers advice to an executive, who then decides how to proceed.
Regardless, he says that the case highlights the issues of who manages whom and who makes the decision to report a data breach. "The question of who is responsible and accountable looms large."
One takeaway for cybersecurity professionals from the case already is "to make sure you have D&O coverage," which is insurance that reimburses executives for defense costs incurred when defending claims filed by shareholders or third parties, Jamil Farshchi, CISO at Equifax, says via LinkedIn.
In his post, Farshchi also decries "tribalism" by the cybersecurity community over support for Sullivan, given the facts of the case. "Nobody is disputing that a breach of 57M people occurred, Uber concealed it, and that Joe Sullivan - the CISO at the time - was involved in the concealment. There very well may have been others involved. And if so, they too should be held to account. But it doesn't change that what Sullivan did was wrong. Really wrong."
In the midst of responding to the security breach, should Sullivan and his team have handled things differently? Likewise, should Uber's senior management team or legal department have handled things differently or better communicated internally? Is a data breach not obviously a data breach if the individuals who obtained the data swear that they never viewed or shared it?
"IMHO, Sullivan made a difficult call in gray territory … dozens of CISOs have told me they would have made the same call he did," says cybersecurity reporter Nicole Perlroth. "It was highly nuanced and it's worth reading the exchanges between Sullivan's team and the hackers and deciding yourself."
In exchanges between the hackers and Uber, "John Dough" told the company that they expected to receive $100,000 for sharing the intrusion method and agreeing to get rid of the data. "Hopefully this gives you an insight of what really could've went down if someone else had the intention of doing harm."
The 2016 security incident came to light after Dara Khosrowshahi took over from Kalanick as CEO. He ordered a review of the incident and then the public breach notification. He also fired Sullivan as well as in-house attorney Craig Clark, who had directly overseen a $100,000 payment to the two hackers.
Uber's new management team portrayed the incident as something that happened under the previous leadership team's watch. By disclosing the incident, it said it was cleaning house. Perlroth, for one, suggests Sullivan got caught out by this subsequent recasting, as the company attempted to rehabilitate its reputation.
So many questions seem to remain unanswered, including: What will a jury decide? For now, Sullivan's trial continues.