Former Uber Security Officer Won’t Go To Prison For Covering Up A 2016 Data Breach
A rather strange prosecution of a former Uber executive finally comes to an end. And the first tech company executive to be convicted of criminal acts related to a data breach won't be going to prison, as Joseph Menn reports for the Washington Post.
Former Uber chief security officer Joe Sullivan avoided prison Thursday as he was sentenced for covering up the 2016 theft of company data on 50 million Uber customers while the company was being investigated by the Federal Trade Commission over a previous breach.
Sullivan had been convicted in October of obstruction of justice and hiding a felony, making him the first corporate executive to be found guilty of crimes related to a data breach by outsiders.
To be sure, some poor decisions were made by Sullivan. But this wasn't a case where a company carelessly exposed user data and then made moves to ensure its users never found out about it. This was extortion by cyber-criminals, an act aided by the accidental exposure of a digital key, which the extortionists used to obtain data on 600,000 drivers and 50 million passengers.
Sullivan's team tried to satisfy the extortionists with a $10,000 payment under the company's bounty program but the hackers insisted on a six-figure payout. Sullivan agreed to pay the amount, provided the hackers destroyed the data and never disclosed the breach. These were the acts federal prosecutors claimed amounted to obstruction of justice and hiding a felony.
According to Sullivan, this was done to ensure the data never leaked while also utilizing the back-and-forth with the extortionist to seek clues to their identity. The pair of extortionists was eventually arrested, with one of the two testifying on behalf of the prosecution(!).
With more and more companies paying ransoms to recover data/prevent data distribution, it seems extremely odd the government would go after someone who appeared to be doing what he could to protect drivers and passengers from having their personal data exposed or sold to other criminals.
And it's not as though Sullivan had a track record of being careless with sensitive data collected by the companies he worked for. That's the message that came through in the letters of support delivered to the court by more than 180 colleagues and security professionals.
The conviction shocked many security professionals, many of whom saw Sullivan, a onetime federal cybercrime prosecutor, as an industry leader who continued to work in the public interest as the top security executive at Facebook, Uber and Cloudflare.
They also criticized the government for criminalizing questionable judgment in paying off extortionists when the practice has become a regular occurrence at U.S. companies hit by ransomware.
What has now become an acceptable, if a bit unsavory, solution" to ransom demands was treated as a criminal act in this case. This successful prosecution suggests the feds might go after more big tech targets if it finds out they've been secretly negotiating with criminals.
The only assurance we have from the government that it won't start prosecuting security professionals for paying off crooks isn't all that assuring:
The FBI has said it will not pursue charges against those who approve payouts that do not go to gangs sanctioned for working in concert with Russian authorities or targeting critical infrastructure.
All well and good, but it's not like malicious hackers provide targets with business cards and employment history (such as it were...) when trying to extort cash from their victims. Attribution is difficult. With the proper operational security in place, it can be almost impossible. Unless hackers affirmatively declare their affiliation with the Russian government, victims of ransomware attacks won't actually know where the money is going. And with time being of the essence, sometimes the payment has to be made far ahead of the due diligence.
And it's not as though the federal government is willing to prosecute its own for careless handling of breaches and lax security practices that invite hackers to partake of massive, government-mandated data collections. This seems like a very selective prosecution meant to show the government won't let the private sector get away with mishandling their users' data.
It's unclear what deterrent effect this is supposed to create. If anything, it encourages companies to take a hands-off approach when dealing with extortionists, increasing the risk exfiltrated data will be publicized or sold to other criminals. That can't be what the federal government actually wants. But it seems like that's what it's going to get.