A recent criminal verdict against a former Uber executive highlights the serious potential risks associated with concealing data breaches and using “bug bounty” programs as a means to hide hacking by threat actors. In early October, former Uber chief security officer Joe Sullivan was convicted of federal charges by unanimous verdict after four days of deliberation. The charges stemmed from payments Sullivan authorized to two hackers who breached the company’s data in 2016. This conviction came as a surprise to many security professionals. Many anticipated his acquittal because Sullivan had kept Uber’s CEO and others who were not charged informed of his actions. However, highlighting the insufficiency of this approach, Sullivan was found guilty of obstructing justice for failing to inform the Federal Trade Commission of the breach and of actively hiding a felony.
Sullivan’s troubles began when a hacker emailed Uber anonymously and described a security lapse that allowed the hacker and his partner to download data from one of Uber’s Amazon storage spaces. From the Amazon repository, the hackers were able to extract an unencrypted backup of data on more than 50 million Uber riders and 600,000 drivers.
Sullivan and his team directed the hackers to Uber’s “bug bounty” program, a system used by many organizations through which individuals can receive recognition and compensation for reporting software security vulnerabilities, noting that the top payout available was $10,000. The hackers rejected the offer, threatened to release the data, and demanded a six-figure payout. After engaging in further negotiation, Sullivan authorized a payment of $100,000 to the hackers with the condition that the hackers destroy the data and execute a nondisclosure agreement. Moreover, Sullivan and his staff discovered the hackers’ identities to use as leverage for enforcement of the agreement. The hackers were eventually arrested, and one even testified for the prosecution in Sullivan’s case.
The scheme was uncovered after Uber’s new chief executive, Dara Khosrowshahi, arrived and learned of the breach after its resolution. Sullivan misrepresented the handling of the breach to Khosrowshahi as a routine payoff, did not disclose the amount of the payoff, and also did not disclose that the hackers had obtained unencrypted personal identifying information of millions of riders. Khosrowshahi later fired Sullivan after further investigation.
Sullivan was prosecuted by the cybercrimes unit of the San Francisco U.S. Attorney General’s office, where he previously served as a cybercrimes prosecutor in the years prior to his work as a top security executive at Facebook, Uber and Cloudflare. He has not yet been sentenced—post-trial motions are pending, and the possibility of appeal remains.
The case against Sullivan was aggravated by two factors. First, at the time of the payment, Uber was nearing the end of a Federal Trade Commission investigation following another major data breach in 2014. Second, prosecutors argued that Sullivan’s use of a nondisclosure agreement was evidence that he intended to participate in a cover-up. Prosecutors argued that the hackers should not have qualified for the bug bounty program, which was intended to reward friendly security researchers, not to assist in covering up extortion attempts by malicious hackers.
On the other hand, many high-ranking individuals at Uber were in the loop on Sullivan’s actions, including a lawyer on Sullivan’s team, the company’s chief privacy lawyer, the company’s head of communications, and even Uber’s former chief executive. In fact, the then-chief executive approved of Sullivan’s strategy, of which he was informed within hours of learning of the threat itself.
The lawyer on Sullivan’s team was granted immunity and testified that he had advised Sullivan and the team that the attack would not have to be disclosed to the Federal Trade Commission if the hackers complied with the terms of the non-disclosure agreement. The hackers did not breach the agreement. Accordingly, prosecutors were only able to challenge whether or not Sullivan could have reasonably believed that the hackers would comply with the agreement, such that Uber’s customers and drivers were not at any further risk.
Notably, this marks the first major criminal case brought against a corporate executive as the result of a third-party data breach. It is quite possible that this case will remain novel. In the past five years, payoffs to data extortionists have become commonplace as ransomware attacks have become dramatically more frequent. While FBI leaders discourage the payoff practice and caution strongly against any payments that could be made to terrorist organizations or rogue nations, they have publicly commented that they will not pursue people and companies that pay ransoms if the payment does not violate sanctions prohibiting payments to named criminal groups, especially those close to the Russian government. Moreover, some insurance companies reason it is more cost-effective to pay ransoms than to cover the damage from lost files—although concerns about possible liability for payments to criminal enterprises can impact the nature of coverage.
Some have proposed making such payments to extortionist hackers illegal, but the FBI does not believe that would actually stop the payments. Rather, the FBI noted that it would give the extortionists another weapon against their victims after payment is made. So far, Congress has agreed and declined to ban the transactions.
This case certainly calls to the forefront the propriety of bug bounty programs. While it is common that bug bounty programs require nondisclosure deals, a Microsoft security expert commented to The Washington Post that “bug bounty programs are being misused to hide vulnerability information.” Bug bounties are intended to offer rewards to hackers who were not inclined to commit crimes, not to sweep criminal acts under the rug that should be properly disclosed to authorities under state or federal rules. In the face of this criticism, it is wise for executives to be continuously mindful of how bug bounty programs are leveraged.
Another key takeaway for executives, especially those in the data security realm, is that while professional risk is a given, the prospect of personal criminal liability is on the table if the concealment approach is taken.