Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Week 10 Studio: Uber Breach

Today’s case study resulted in Joe Sullivan, the former Chief Information Security Officer (CISO) of Uber, being convicted of two felonies – the first time a CISO has ever been held criminally liable for a corporate security breach.

First, some background: In May of 2014, a hackers broke into Uber’s database and stole information on 50,000 drivers. Uber did not discover and fix this breach until September 2014. As a result of this breach, the US FTC launched an investigation into the data security practices at Uber, and determined that they were not protecting sensitive data up to modern standards. Uber and the FTC entered into a “consent decree”, which is an agreement between a company and the US government that is filed with the courts and can be later enforced by the courts. This consent decree required Uber to hire a Chief Information Security Officer (CISO), undertake a number of modern data security protections, and notify the FTC of any future breaches.

Now, for today’s case. In 2016 — two years later — a hacker broke into Uber’s server and stole information about 57 million drivers and riders, including phone numbers, email addresses, and names, on Uber’s services. The hacker accessed this information as it was stored on a third party (cloud) server that was operated by Uber.

The hacker then contacted Uber’s CISO Joe Sullivan, and asked for a $100,000 ransom payment to delete the copy of the data. Sullivan (the CISO) told Travis Kalanak (the CEO) about this. Sullivan asked the hacker to report this breach to the company’s bug bounty program, and then used that program to send the attacker $100,000 and ask the attacker to sign a non-disclosure agreement.
That same week, Sullivan testified before the FTC that Uber had not had any further breaches after the May 2014 breach.

For unrelated reasons, the board fired Travis Kalanak (the founder and CEO) and replaced him with Dara Khosrowshahi. When this new CEO learned of the breach and bug bounty payment, he fired Mr. Sullivan (the CISO) and reported the breach to the FTC. Not long after this, the US Department of Justice opened an investigation into Mr. Sullivan for lying to the FTC.

In October of 2022, Mr. Sullivan was found guilty of hiding information from the FTC in a federal court. He was sentenced to three years of probabtion and a $50,000 fine

Part 1: Understand the Case

Let’s use the skills we’ve been developing to understand this case. Start by reading the two news articles linked above. You’ve read through a number of case studies, and are starting to get a better gut feeling for what information is important and what information isn’t. Trust your gut; you can always go back and look again later. You can also google for more information; this case was in the news a lot, Uber was very cooperative with the DoJ investigation, and almost all details have been made public, so there are a lot of news stories about it.

Let’s go through the same process we have been doing for the last couple of weeks to map out and understand what is happening.

Figure out who the relevant actors are. We’ve got the attackers, the victim, additional defenders, etc. Fill out an actors and motivations worksheet for each of them to try to think through who was doing what, and why they did what they did.

Figure out the attack, and what vulnerability enabled the attack. How did the attacker get into Uber? How did Mr. Sullivan find out?

Don’t spend too long on this. Details help, but all of this work is really to help you gain a basic understanding of what happened. You should hopefully be getting faster and better at these tasks as you practice them every week.

Part 2: Fixing the Problem

Before this, Mr. Sullivan was a highly respected expert in cybersecurity who worked for the Department of Justice, Uber, Cloudflare, and was appointed to multiple advisory committees. Mr. Sullivan claims that he was just “doing his job” to protect the company Uber from cyber risks and bad press, and that all of his actions are common, everyday occurances for most CISOs.

However, the U.S. Government decided to prosecute and convict Mr. Sullivan. Mr. Sullivan claims that this prosecution basically makes all CISOs liable to be thrown in jail when their companies get hacked, and means that no one will be willing to be a CISO as a result. He claims that creating criminal liability for normal CISO activities will make it significantly harder to actually protect companies from cyberattacks.

The U.S. Government disagrees, and claims that what Mr. Sullivan did was unusual, and outside of the realm of normal cybersecurity work protecting companies. They claim that he lied and covered up attacks, and that those lies and coverups harmed users of the company’s products.

This is a complex policy issue. Should the U.S. Government want CISOs to act like Mr. Sullivan did to protect their companies, or should the government draw a line and stop CISOs from acting like Mr. Sullivan did? And if the government wants to discourage this behavior, is criminal law (i.e. throwing people in jail) the best way to discourage this?

Lawfare blog has a good writeup about these policies questions that is worth reading. It will help you think through some of these questions.

Another similar case: the SEC filed criminal charges last October against the CISO of SolarWinds for making false and misleading statements that misled the company’s investors and failing to disclose cybersecurity risks. That case is still pending, though SolarWinds has requested it be dismissed and multiple business groups support that position.

Is this a good policy?

Your first goal is to try to figure out if what the U.S. Government did is a good policy. Fill out a policy worksheet to try to think through and evaluate this situation.

Think about this policy in terms of the economics and politics involved. Is this a good idea? Can you come up with a better policy for the US?

New Policy for Corporations

Once you’ve filled out the policy worksheet, you should have a better idea about how to think about some of the challenges involves in this situation. This is tough – the US doesn’t want people lying to it and covering up things, but it really wants companies to be able to protect themselves from cyberattacks and take actions to protect their public image.

Think about the different goals for the actors involved – the companies, the CISOs, the hackers, the government. Can you come up with a good policy that will encourage companies to continue to protect themselves from cyberattacks, but still be able to oversee security breaches and protect consumers from companies that abuse them or lose their data?

Right now, the US government used criminal law to set this policy. They said “if you do these specific things, then you are a criminal and we will throw you in jail”. That is, they set a bright line, and any actions that cross that line are not allowed, but any actions that don’t cross that line are fine. Is criminal law a good way to do this? If so, what, specifically, should be against the law?

Also, consider if there are other alternatives. Is there a way to accomplish these goals without using criminal law? For example, the security breach notification laws require companies to notify consumers of security breaches. This is NOT a criminal law – no one goes to jail if consumers are not notified – but it still is an effective policy to encourage companies to protect data about consumers. Can you come up with a new policy that is NOT criminal law, but still might get Uber to better protect data?