Former Uber CSO Joseph Sullivan on His Trial and the Future

In May, Joseph Sullivan, former Uber’s former CSO, was sentenced to three years of probation, plus a $50,000 fine, for covering up a 2016 data breach at the rideshare company. The CSO community has been closely following Sullivan’s case, wondering what it means for their job roles and levels of personal risk.

In this two-part interview, Sullivan spoke with InformationWeek about the response to the incident at Uber, the outcome of his trial, and how he plans to work with the security community going forward. For background, see the US Federal Trade Commission's complaint against Uber and the US Department of Justice's indictment against Sullivan.

Sullivan’s answers have been edited for clarity. The second half of the interview will appear tomorrow, June 2.

Let’s get started with some background. How did you first become interested in cybersecurity as a career path?

Sure, I always had an interest in technology and the internet. I grew up in Cambridge, Mass., kind of right under the shadow of MIT. My younger brothers took summer classes there when they were kids, and we just played around with computers a lot.

When I got into my career, very early on, I was the person who was doing the voluntary tech support for our offices. I think when I was working in San Francisco for the Department of Justice, I was the person who requested that we have an internet connection in the office to do research, and after much haranguing, I was able to get a direct internet connection to my desk where I could do research and things like that. And that was in 1995.

Related:Conquering Cyber Risk Management as a Transformational CISO

Then, I had the good fortune of becoming a federal prosecutor, and I was in the Las Vegas US Attorney's office. I moved from San Francisco to Las Vegas for the role. So, I joined what was called the white-collar unit. So, we were focusing on all kinds of white-collar crimes. However, I think I was one of the few prosecutors who had a computer on their desk that they were using for all kinds of stuff.

The agents who were doing the cyber investigations back then, of which there were a few, started coming to me and we started working on them together. Then, my office asked me to be part of a specialized program where I would get training on cybercrime. So, I became part of something that the Department of Justice started called the Computer and Telecommunication Coordinators (CTC). So, I was the CTC for the district.

Then, at the end of 1999, Robert Mueller who went on to run the FBI, he started a high-tech unit in the US Attorney's office in the Northern District of California. And so, I jumped at the opportunity to move back to California and be one of the founding members of that unit. At that point, I went from about half my cases being cyber-related to full-time high-tech cases. So, that's how I got down that path.

Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023

You made the transition to the private sector. Can you talk about what initially attracted you to the CSO position at Uber?

So, it was a bit of a journey. I spent the first eight years of my career in government. I didn't know too much about working in a company and had never really thought about it too much. Then, I was recruited by a leader at eBay who told me about what was happening. I think I'd prosecuted the first ever eBay fraud case in federal court back when I was in Las Vegas. So, I was familiar with the eBay platform. But I hadn't really thought about what it would be like to work inside a company until I spoke with the team there two years later. They said, look if you can come inside the company, you can help us protect buyers from seller fraud and things like that.

And I remember back in 2002, when I went to eBay … I remember talking to my mom and saying, “Well the business model is people list items for sale. Other people want it and then they put cash in an envelope to mail it and hope that the other person will send them the goods.” The idea that the internet had that level of trust was crazy, and that the idea that business could actually work that way, but eBay did. The online payment platforms were just starting to get going and because people really saw the impact, the positive impact of the internet on commerce and connectivity.

Related:6 Pain Points for CISOs and CIOs and What to Do About Them

So, I got excited about that. I went to eBay and spent seven years there. Then, I went over to Facebook when it was early days at Facebook in 2008. I spent almost seven years there, and then I was recruited to Uber.

At the beginning of 2015, I was recruited to Uber because, if you looked at 2014 at Uber, they had quite a spectacularly bad year from a cybersecurity standpoint. They were a small company that was growing really fast, and they had all kinds of issues in 2014. They had a major data breach that they declared, I think, at the end of 2014. [Editors note: Uber discovered the May 2014 breach in September 2014 and disclosed it publicly in March 2015.] There was a really troubling sexual assault case involving an Uber driver and rider in India that was making global news. And there were a bunch of stories about how insiders at Uber were inappropriately accessing customer data in a way that was alarming to the board and to the media and to potential customers.

So, I was recruited by the board and exec team to come in to try and help bring security and catch up with the rest of the company, so to speak, in terms of the business and where it already was. So, I joined in April 2015.

Let’s talk about the 2016 data breach at Uber. How did you first learn about the breach?

I'll refer to it as a security incident just because I think of the words data breach as a defined term and different laws and stuff like that. I want to be careful because I am not an expert on all those laws. I also don't think that this case should be compared to any other quote-unquote data breach because, as the judge recognized at my sentencing, the data is not out in the wild. Uber drivers whose information was at-risk in this case were protected by my team. My team did a very good job in tracking down the people's access to data and made sure that they weren't going to be distributed in the wild. And so, this case is very different from when you see it on the list of hundred worst data breaches ever. It's different from everything else on that list, in that the data is not out in the wild being used and never has been.

In this case, what happened was I received an email one morning and it said -- I forget the exact phrasing -- but I received an email from the outsiders who said they had access to … I forget exactly what they said, but they said they had some level of access. It looked like a lot of emails that I receive in that role. So, I did what I always do, I forwarded it on to the bug bounty team.

Uber ultimately paid those individuals $100,000 through its bug bounty program to delete the compromised data to ensure it wasn’t out in the wild, and it secured NDAs from the hackers. What can you tell me about the conversations leading up to that course of action? Who was involved in these discussions?

This is another example where the court made a really clear, specific observation at the sentencing hearing. The work that we did to send the NDA and try to engage with the outsiders was intentionally done as part of an investigation in order to get attribution. The team was acting with the goal of securing the data and making sure that it was protected. That was the primary goal of the security team, and that goal was accomplished by the use of the NDA and the payment and all the investigative work that went on around it.

Were there any other courses of action considered?

I think everyone is very proud of how the security team handled the incident from an investigation response and recovery and protect the customer standpoint. I consider it outstanding work. When the new CEO [Dara Khosrowshahi] testified as a government witness at the trial, even he acknowledged that were he in the role at the time, he would have paid the amount of money that was paid to protect the customer's data.

Now, as you mentioned, when you came on board, Uber had had a bad year. There was the data breach in 2014; the company was working through that process with the US Federal Trade Commission. Can you talk about the decision not to disclose the 2016 incident to the FTC? What did that conversation look like? Who ultimately made the final call on that?

As was reflected in the records that were presented at the trial, I was in regular dialog with our CEO. The record also showed at the trial that we included in all of the meetings and all of the dialog representatives from the legal team and the communications team, as well as the investigations and response teams. A large number of people inside the company were involved in the process and response and how we handled it.

It also turned out that the lawyer who ran the privacy team and oversaw and managed the FTC investigation, she was also made aware of the full incident and had the opportunity to disclose that to the FTC as well. So, it's not like one team over in a corner keeping a secret. My team followed the incident response documented processes that we had in place. We looped in the teams that we always looped in whenever we're doing an incident response.

As you said, there were a lot of people involved. Looking back, is there anything you think that you could have done differently?

So, I've thought about that a lot, and you see a lot of conversations in the CSO community and the security community, talking about: How do I avoid being in this situation? And there are lots of things that you should be doing in incident response that not every security team does. We kept, I think, pretty good records. We had running logs of the meetings and the detailed agenda of the meetings, the things we covered.

But, when I think about it in hindsight, there's one thing that would've diffused all the claims and made everything less risky for me as an individual. That would have been to have a third party involved. One of the things that's hard to figure out, how to explain … So, we made a bunch of decisions in a moment, in a week, during an incident response in 2016 that were second-guessed a year later inside the company by a new CEO [Dara Khosrowshahi, who replaced Travis Kalanik in 2017], a new chief legal officer. So, all of the leadership that had been involved from a legal and an executive standpoint had changed.

If there had been a third party -- If I had said, did we check with outside counsel and have they weighed in? Or, if we brought in a third-party incident response firm. And then it would just have insulated my team and me from the suggestion that we were acting with malintent.

What was your reaction when you learned you were being charged?

I didn't believe it. I was shocked.

In the second part of this interview, Sullivan shares his thoughts on Uber’s response, the trial, and outcomes.