Ex-Uber security chief Joe Sullivan has been convicted
U.S. District Judge William Orrick sentenced Sullivan to three years of probation, noting his significant past work protecting people from the type of crime he later covered up. He also said Sullivan’s steps had succeeded in preventing the stolen data from being revealed.
Orrick said he felt former Uber CEO Travis Kalanick was equally responsible for what he considered a serious offense, and he wondered aloud why Kalanick had not been charged. The judge also said he was moved by the unprecedented nature of the case, and warned that future offenders would be jailed, even if they were the Pope.
Sullivan’s conviction had shocked many security experts, many of whom saw Sullivan, a former federal cybercrime prosecutor, as an industry leader who also worked in the public interest as the chief security officer at Facebook, Uber and Cloudflare.
They also criticized the government for criminalizing questionable judgment by paying extortionists when the practice has become a common occurrence at US companies hit by ransomware. The FBI has said it will not pursue charges against those who approve payments that do not go to gangs under sanctions to work with Russian authorities or target critical infrastructure.
More than 180 letters were submitted to the judge praising Sullivan and asking that he be spared prison time to continue helping defense attorneys and victims of safety failures. One of the letters was signed by 40 current or former security or information chiefs.
But prosecutors sought 15 months in prison, arguing that so many people rallied to support Sullivan because he was rich and well-connected, and that justice demanded that such defendants be treated the same as poor outcasts.
Sullivan “has an unblemished record. He is respected in his community. He is an innovator in his field,” the U.S. attorney’s office in San Francisco wrote in a sentencing memo. “However, when given the opportunity to choose between himself and following the law , he chose himself. Worse, plaintiff Sullivan prioritized his and Uber’s interests over those of the tens of millions of Uber users and riders who trusted the company with their personal information.”
Both sides said their favored outcome would help strengthen cooperation between U.S. officials and private security efforts, a priority for the Biden administration as criminal hacking becomes more sophisticated and more intertwined with foreign government interests.
Kiersten Todt, who recently resigned as chief of staff at the federal Cybersecurity and Infrastructure Security Agency, wrote to the judge that top executives had warned her that the ruling would “make it impossible to recruit smart people for the roles of CISOs and CSOs whose incarceration is on the table – and will set the industry back.”
From the bench, Orrick said that letters in which other security chiefs said they also feared criminal prosecution showed that the authors did not understand the facts of the case. He said Sullivan deliberately deceived the government and caused real harm to the FTC and the public.
After speaking briefly and emotionally before the judge handed down the sentence, Sullivan took responsibility and apologized for harming his family, friends and the “noble profession” of cyber security.
“I was a bad role model,” Sullivan said in a halting voice. “We are there to be the customer’s champion and I failed in this case.”
Citing the letters in their own memo, Sullivan’s lawyers recounted a series of good deeds, such as establishing eBay’s trust and safety team and a Facebook child safety effort that his successor there, Alex Stamos, credited with delivering three-quarters of all alerts to the National Center for missing and exploited children in 2021.
“It is not unreasonable to say that Joe and the handful of other leaders who tackled this problem in the early days are probably responsible for more global prosecutions of child sexual exploitation than virtually any other living person,” wrote Stamos, now director of the Stanford Internet Observatory.
The criminal case against Sullivan began when a hacker emailed Uber anonymously and described a security breach that allowed him and a partner to download data from one of the company’s Amazon warehouses.
It emerged that they had used a stray digital key that Uber had left behind to get into the Amazon account, where they found and extracted an unencrypted backup of the data of more than 50 million Uber riders and 600,000 drivers.
Sullivan’s team directed them against Uber’s bounty program, noting that the top payout under it was $10,000. The hackers said they would need six figures and threatened to release the data.
The negotiations ended with a payment of $100,000 and a promise from the hackers that they had destroyed the data and would not reveal what they had done. While prosecutors called it a coverup, testimony showed that Sullivan’s staff used the process to get clues that would lead them to the true identities of the perpetrators, which they believed was necessary leverage to keep them at their word. The two were later arrested and pleaded guilty to hacking charges, and one testified for prosecutors at Sullivan’s trial.
The obstruction charge drew strength from the fact that Uber, at the time, was nearing the end of an FTC investigation into a major breach in 2014, which occurred before Sullivan joined the company.
While leading the response to the two hackers, Sullivan kept many others in the company informed, including a lawyer on Sullivan’s team, Craig Clark. Evidence showed that Sullivan told Kalanick, Uber’s CEO at the time, and that Kalanick approved of Sullivan’s strategy. The company’s chief privacy counsel, who oversaw the response to the FTC, was briefed, and the head of the company’s communications team also had details.
Clark, the designated breach legal director, was granted immunity to testify against his former boss. Under cross-examination, he acknowledged that he informed the team that the attack would not be disclosed if the hackers were identified, agreed to delete what they had taken and was able to convince the company that they had not disseminated the data, which eventually happened.
Prosecutors were left to challenge “whether Joe Sullivan could possibly have believed that,” as one of them put it in closing arguments. In his comments Thursday, Sullivan said he should have gotten an outside legal opinion instead of being relieved to get internal coverage to avoid disclosure.
After Kalanick was forced out of the company for unrelated scandals, his successor, Dara Khosrowshahi, stepped in and learned of the breach. Sullivan described it as a routine bug bounty payout, prosecutors said, redacting from one email the amount of the payout and the fact that the hackers had obtained unencrypted data, including phone numbers, of tens of millions of riders. After a later investigation revealed the full story, Khosrowshahi testified, he fired Sullivan for not telling him more sooner.
Eager to show it was operating in a new era, the company helped the US attorney’s office build a case against Sullivan. And prosecutors, in turn, unsuccessfully pushed Sullivan to implicate Kalanick, which would have been a far bigger prize but was not condemned by the surviving written evidence, according to people familiar with the process.