Cyber Security Blog

Former Uber CISO Convicted: What, How & Why?

Written by Aditi Uberoi | 11 October 2022

Uber Technologies’ former CISO, Joseph Sullivan, has been convicted of federal charges for covering up a 2016 data breach in which the personal information of 57 million Uber users  was stolen. A United States Federal Jury has found Sullivan guilty of obstructing the proceedings of the Federal Trade Commission (FTC).  Apparently, Sullivan, then in-charge of security operations and cyber security at the company, spearheaded the scheme in which Uber paid hackers $100,000 through its bug bounty program to not release the data and stay silent on the attack. The hack was disclosed in 2017 when the new Uber CEO, Dara Khosrowshahi, stepped into his new role.

The reason why this conviction is a watershed moment in cybersecurity history is not because CISOs aren’t often made the scapegoat for security incidents. But it is usually limited to them being publicly blamed or fired for such incidents. This is believed to be the first time that a CISO of a major U.S company has been convicted for a data breach and its ensuing cover-up.   

Did the CISO’s job just become tougher than it already is? The spotlight on the former Uber CISO’s conviction definitely seems to say so. The pressure is on and the message is clear - executive due diligence is of paramount importance where cybersecurity is concerned. 

The more important lesson here? Cyber-attacks happen to everyone and all the time. The real cincher lies in how you respond to them, record the events and report the incident. If this event has taught us anything it is this - Incident Response Handling has never been as critical to business continuity and brand perception as it is today. 

In the below table, we capture some of the major news stories around this massive moment in global cybersecurity. The idea of creating this resource is strictly educational. We, at Cyber Management Alliance, do not take any responsibility for the veracity of the facts mentioned in any of the news stories. We have only collated some of the useful resources for anyone who wishes to educate themselves on how the events unfolded in the former Uber CISO’s conviction. 

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

Comments/ Summary 

Source URL   

Former Uber security chief convicted of covering up a 2016 data breach

https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach  

https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking/ 

Federal Jury Finds Joseph Sullivan Guilty of Obstruction of the Federal Trade Commission and Misprision of a Felony

https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking/ 

Uber Boss Testifies He ‘Could Not Trust’ Ex-Security Chief

https://www.nytimes.com/2022/09/16/business/dara-khosrowshahi-ceo-uber-breach-trial.html 

Uber names hackers behind breach 

https://www.linkedin.com/news/story/uber-names-hackers-behind-breach-6001122/ 

Recent Uber data breach

https://www.linkedin.com/posts/arnabray_the-recent-uber-data-breach-wherein-a-teenager-activity-6977447370343006208-UgfB/ 

The majority of security professionals do not understand corporate structure and accountability.

https://www.linkedin.com/feed/update/urn:li:activity:6983702650076721152/ 

Former Uber security chief convicted for concealing a felony

https://www.bbc.com/news/technology-63157883 


Former Uber CSO convicted for covering up massive 2016 data theft

https://www.google.com/search?q=UBER+CISO+convicted&oq=UBER+CISO+convicted&aqs=chrome..69i57j0i10i22i30l2j0i390l3.498j0j4&sourceid=chrome&ie=UTF-8 

Ex-Uber security chief convicted of hiding hack from federal regulators

https://arstechnica.com/tech-policy/2022/10/ex-uber-security-chief-convicted-of-hiding-hack-from-federal-regulators/ 

What Uber’s Joe Sullivan Case Means For ‘Sacrificial CISOs’

https://www.forbes.com/sites/andrewhayeurope/2022/10/06/uber-decision-implications-for-virtual-cisos/?sh=1ed815131748 

Guilty verdict in the Uber breach case makes personal liability real for CISOs

https://www.csoonline.com/article/3676148/guilty-verdict-in-the-uber-breach-case-makes-personal-liability-real-for-cisos.html 

Cyber attorney on Uber case: ‘Sullivan should have been well aware of his obligation’

https://www.scmagazine.com/analysis/compliance/cyber-attorney-on-uber-case-sullivan-should-have-been-well-aware-of-his-obligation 

This is believed to be the first criminal prosecution of a company executive over the handling of a data breach.

https://twitter.com/NoraNiLoideain/status/1577906545043570690 

“I know a lot of people are freaking out about the Uber CISO verdict, but this verdict has little to do with being a CISO."

https://twitter.com/MalwareJake/status/1578077700748615681 

“The risk is to make cybersecurity a toxic function that talented people avoid. Exactly the opposite of what we need."

https://twitter.com/dhinchcliffe/status/1578050725048877057 

Whom should we sympathise with?

https://twitter.com/Krevetk0Valeriy/status/1570728380953395202 


Former Uber CISO Convicted

https://music.amazon.co.uk/podcasts/55315ba7-0b44-4fca-b7ef-d1e5606fcca8/episodes/42c8dfe4-3538-4065-b2c1-cb1ac27242cc/the-cyberhub-podcast-sql-backdoor-former-uber-ciso-convicted-george-finney-on-his-book-project-zero-trust 

Former Uber CISO Faces Prison Time For Mishandling Cyberattack

https://josephsteinberg.com/former-uber-ciso-faces-prison-time-for-mishandling-cyberattack-justice-scapegoating-or-both/ 

Interesting Opinions on the Uber CISO Conviction