Former Uber CISO Convicted: What, How & Why?

Date: 11 October 2022

Uber Technologies’ former CISO, Joseph Sullivan, has been convicted of federal charges for covering up a 2016 data breach in which the personal information of 57 million Uber users was stolen. A United States Federal Jury has found Sullivan guilty of obstructing the proceedings of the Federal Trade Commission (FTC). Apparently, Sullivan, then in-charge of security operations and cyber security at the company, spearheaded the scheme in which Uber paid hackers $100,000 through its bug bounty program to not release the data and stay silent on the attack. The hack was disclosed in 2017 when the new Uber CEO, Dara Khosrowshahi, stepped into his new role.

The reason why this conviction is a watershed moment in cybersecurity history is not because CISOs aren’t often made the scapegoat for security incidents. But it is usually limited to them being publicly blamed or fired for such incidents. This is believed to be the first time that a CISO of a major U.S company has been convicted for a data breach and its ensuing cover-up.

Did the CISO’s job just become tougher than it already is? The spotlight on the former Uber CISO’s conviction definitely seems to say so. The pressure is on and the message is clear - executive due diligence is of paramount importance where cybersecurity is concerned.

The more important lesson here? Cyber-attacks happen to everyone and all the time. The real cincher lies in how you respond to them, record the events and report the incident. If this event has taught us anything it is this - Incident Response Handling has never been as critical to business continuity and brand perception as it is today.

In the below table, we capture some of the major news stories around this massive moment in global cybersecurity. The idea of creating this resource is strictly educational. We, at Cyber Management Alliance, do not take any responsibility for the veracity of the facts mentioned in any of the news stories. We have only collated some of the useful resources for anyone who wishes to educate themselves on how the events unfolded in the former Uber CISO’s conviction.

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

Comments/ Summary	Source URL
Former Uber security chief convicted of covering up a 2016 data breach	https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking/
Federal Jury Finds Joseph Sullivan Guilty of Obstruction of the Federal Trade Commission and Misprision of a Felony	https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking/
Uber Boss Testifies He ‘Could Not Trust’ Ex-Security Chief	https://www.nytimes.com/2022/09/16/business/dara-khosrowshahi-ceo-uber-breach-trial.html
Uber names hackers behind breach	https://www.linkedin.com/news/story/uber-names-hackers-behind-breach-6001122/
Recent Uber data breach	https://www.linkedin.com/posts/arnabray_the-recent-uber-data-breach-wherein-a-teenager-activity-6977447370343006208-UgfB/
The majority of security professionals do not understand corporate structure and accountability.	https://www.linkedin.com/feed/update/urn:li:activity:6983702650076721152/
Former Uber security chief convicted for concealing a felony	https://www.bbc.com/news/technology-63157883
Former Uber CSO convicted for covering up massive 2016 data theft	https://www.google.com/search?q=UBER+CISO+convicted&oq=UBER+CISO+convicted&aqs=chrome..69i57j0i10i22i30l2j0i390l3.498j0j4&sourceid=chrome&ie=UTF-8
Ex-Uber security chief convicted of hiding hack from federal regulators	https://arstechnica.com/tech-policy/2022/10/ex-uber-security-chief-convicted-of-hiding-hack-from-federal-regulators/
What Uber’s Joe Sullivan Case Means For ‘Sacrificial CISOs’	https://www.forbes.com/sites/andrewhayeurope/2022/10/06/uber-decision-implications-for-virtual-cisos/?sh=1ed815131748
Guilty verdict in the Uber breach case makes personal liability real for CISOs	https://www.csoonline.com/article/3676148/guilty-verdict-in-the-uber-breach-case-makes-personal-liability-real-for-cisos.html
Cyber attorney on Uber case: ‘Sullivan should have been well aware of his obligation’	https://www.scmagazine.com/analysis/compliance/cyber-attorney-on-uber-case-sullivan-should-have-been-well-aware-of-his-obligation
This is believed to be the first criminal prosecution of a company executive over the handling of a data breach.	https://twitter.com/NoraNiLoideain/status/1577906545043570690
“I know a lot of people are freaking out about the Uber CISO verdict, but this verdict has little to do with being a CISO."	https://twitter.com/MalwareJake/status/1578077700748615681
“The risk is to make cybersecurity a toxic function that talented people avoid. Exactly the opposite of what we need."	https://twitter.com/dhinchcliffe/status/1578050725048877057
Whom should we sympathise with?	https://twitter.com/Krevetk0Valeriy/status/1570728380953395202
Former Uber CISO Convicted	https://music.amazon.co.uk/podcasts/55315ba7-0b44-4fca-b7ef-d1e5606fcca8/episodes/42c8dfe4-3538-4065-b2c1-cb1ac27242cc/the-cyberhub-podcast-sql-backdoor-former-uber-ciso-convicted-george-finney-on-his-book-project-zero-trust
Former Uber CISO Faces Prison Time For Mishandling Cyberattack	https://josephsteinberg.com/former-uber-ciso-faces-prison-time-for-mishandling-cyberattack-justice-scapegoating-or-both/