- In what some analysts think could be the start of an era, former Uber security chief Joe Sullivan faces up to eight years in prison for folding a 2016 hacking into the company's ‘bug bounty’ program rather than reporting it to the Federal Trade Commission.
- “It wasn’t that long ago that it was pretty rare for senior leaders even to be fired in the aftermath of a breach,“ Scott Shackelford, a professor of business law and ethics at Indiana University, told The Wall Street Journal.
- Now, he said, “This could be the first of many criminal prosecutions.”
Sullivan was found guilty of criminal obstruction charges in San Francisco on October 5 after a three-week trial in which he argued he had protected the records of almost 60 million customers by convincing hackers to become, post-breach, part of the company’s bug bounty program.
Under that program, the company pays hackers to find vulnerabilities in its systems so it can seal them before they’re hacked for real.
In this case, Sullivan, already dealing with an FTC review of a 2014 hack, worked with a member of Uber’s in-house legal team to bring the hackers, if they promise not to expose the data, into the bounty program in exchange for a $100,000 crypto payment.
Sullivan reasoned that, as part of the bounty program, the breach didn’t need to be reported to the FTC.
“Mr. Sullivan believed that their customers’ data was safe and that this was not some incident that needed to be reported,” Sullivan’s attorney, David Angeli, said in closing arguments, the Journal reported. “There was no coverup and there was no obstruction.”
In deciding as it did, the jury thought otherwise.
Earlier in the trial, Craig Clark, a former member of Uber’s in-house legal team, testified that Sullivan asked him to find a way to fold the hack into the bounty program so it wouldn’t have to be reported.
“I remember Joe asking or saying, ‘How can we fit this into bug bounty?’” Clark testified.
Clark said he drafted an agreement for the hackers to sign, which Sullivan then changed to make it sound like the hackers had never obtained the customer data when in fact they had.
“The x’ing out of ‘obtained’ was where it changed from an accurate statement to an inaccurate statement,” Clark said.
As a result of his conviction, Sullivan faces a potential five-year sentence on the obstruction charge and up to three years for failing to report a felony.
“You can’t put a company in jail,” Chinmayi Sharma, a legal scholar in residence at the University of Texas at Austin, told The New York Times. “You can put an executive in jail. Now, that is on the table.”