Page 1
Ninth Circuit:
Uber Ex-Executive’s Conviction Over Data Breach Is Proper
Opinion Says Former Chief Security Officer, Who Previously Worked as Assistant U.S. Attorney in Cybercrime Unit, Failed to Show He Did Not Know His Attempt to ‘Cleanse’ Hack With Paid Nondisclosure Agreement Was Futile
By Kimber Cooley, associate editor
|
|
|
JOSEPH SULLIVAN felon |
The Ninth U.S. Circuit Court of Appeals held yesterday that the former chief security officer of Uber Technologies Inc. was properly convicted of obstruction of justice and misprision—the offense of concealing a felony from federal authorities—over his attempt to hide an October 2016 breach of about 57 million users’ and drivers’ personal information from a federal agency.
That agency—the Federal Trade Commission (“FTC”)—was at the time investigating the company’s practices over a similar incident in 2014.
Appealing his conviction was Joseph Sullivan, who was convicted of the charges based upon evidence showing that he tried to cover up the second breach, which was accomplished by exploiting the same vulnerabilities at issue in the ongoing FTC inquiry, by recharacterizing the hack as “research” into the company’s vulnerabilities via a so-called “bug bounty program.”
Under such programs, corporations hire external “security researchers” to find weaknesses in their systems. After discovering the breach, which involved the disclosure of the names and driver’s license of approximately 600,000 contractors, Sullivan paid the hackers $100,000 to delete the information and to sign a nondisclosure agreement (“NDA”) in a purported attempt to turn the incident into a bug bounty exercise.
Even though he was actively involved in Uber’s response to the FTC investigation of the first breach—he testified before the commission about the company’s data encryption practices and supervised the preparation of official responses—Sullivan did not report the incident. He also signed off on statements indicating that certain of Uber’s stores of private data were encrypted, even though the hack exposed holes in those protections.
In 2017, Uber hired a new CEO, Dara Khosrowshahi, who fired Sullivan and publicly disclosed the breach.
Convicted of Charges
On Oct. 5, 2022, a jury convicted Sullivan on the charges. Then-District Court Judge William H. Orrick III of the Northern District of California (now a senior judge) sentenced him to three years of probation and a $50,000 fine.
After his sentencing, The Associated Press, in a May 4, 2023 story, said the case is “believed to be the first criminal prosecution of a company executive over a data breach.”
Sullivan challenges the sufficiency of the evidence presented at trial to support his misprision conviction under 18 U.S.C. §4, which provides:
“Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.”
He argues that the underlying crime had been “cleansed” by the NDA and that he did not know that the conduct was illegal or felonious, as required by §4.
In an opinion authored by Senior Circuit Court Judge M. Margaret McKeown, and joined in by Circuit Judges Anthony D. Johnstone and Ana de Alba, the court rejected those and other assertions. In affirming the convictions, McKeown noted Sullivan’s unique “sophistication” in this field, pointing out that he “had been an Assistant U.S. Attorney in a ‘Computer Hacking and IP Unit.’ ”
Misprision Charge
McKeown said that the crime of misprision requires the government to prove that a principal committed a specified felony and “[h]ere, that meant proving that the hackers had ‘intentionally accesse[d]’ Uber’s computers ‘without authorization…and thereby obtain[ed]’ information” in violation of the Computer Fraud and Abuse Act (“CFAA”), codified at 18 U.S.C. §1030.
Noting that “[t]he hackers’ use of stolen credentials to access protected, private servers was a typical CFAA violation,” she pointed out that Sullivan argues that Uber’s post hoc authorization, via the NDA, retroactively provided permission for the breach and erased any felonious conduct.
Faulting that logic, McKeown wrote:
“[T]his is a false premise, inconsistent with the most plain and natural reading of the CFAA….An actor’s authorization, or lack thereof, is assessed at the moment of access….Because the hackers had not been given authorization by the time of access, their access was unauthorized. Their illegal conduct could not be laundered through an NDA.”
Full Knowledge
She remarked that the government also needed to show that Sullivan had “full knowledge” that the hackers had committed the underlying crime. The defendant argues that he reasonably believed that his recharacterization of the hackers’ conduct, as part of Uber’s bug bounty program, cleansed their actions and rendered the access legal.
Addressing that contention, McKeown commented that “[t]he evidence does not support this argument.” She noted that “before the NDA was signed, he knew and believed that their conduct was illegal” and “[a] year after the incident, Sullivan referred to the hackers as ‘unauthorized’ in an email to Uber’s new CEO.”
McKeown noted that the prosecution must show that the defendant had knowledge the felony being concealed is punishable by more than a year in prison—an element she reasoned a rational juror could infer from Sullivan’s history as a federal prosecutor who had “helped prosecute a CFAA violation” which involved a maximum sentence of five years.
The jurist also rejected Sullivan’s challenge to his conviction on the obstruction of justice charge, based on Orrick declining to use two of his proposed jury instructions, saying there was no error.
The case is U.S. v. Sullivan, 23-927.
Copyright 2025, Metropolitan News Company