CN
13 Mar 2025

SAN FRANCISCO (CN) - A Ninth Circuit panel on Thursday upheld the conviction of Joseph Sullivan, the former chief security officer at Uber, on federal obstruction of justice and other charges after he covered up a 2016 data breach while he was at the company.

Prosecutors accused Sullivan of covering up a data breach after two hackers broke into Uber's Amazon data storage server and swiped the personal information of 57 million app users, including names, phone numbers, email addresses and 600,000 driver's license numbers.

After the breach, the hackers reached out to Sullivan to demand ransom. At that point, Sullivan treated the breach as a routine "bug bounty" - a program used to reward people for finding and reporting security vulnerabilities in their software, systems or websites - to hide the breach and funneled a $100,000 ransom to the hackers and had them sign a nondisclosure agreement.

A jury convicted Sullivan in 2022 of obstruction of justice and he was sentenced to three years' probation and ordered to pay a $500,000 fine.

Sullivan appealed, and his attorneys argued for a new trial, saying the jury was not given proper instructions. But Senior U.S. Circuit Judge Mary McKeown, a Bill Clinton appointee, wrote in the panel's 20-page ruling Thursday that a reasonable jury could find that Sullivan knew the conduct he was engaging in was a felony.

McKeown wrote that even if Sullivan believed the hackers were unauthorized within the meaning of the Computer Fraud and Abuse Act, he could not reasonably believe that treating the hack as a bug bounty and having the hackers sign NDAs cleansed the illegal conduct.

"The hackers' use of stolen credentials to access protected, private servers was a typical CFAA violation. Sullivan argues that Uber's post hoc authorization, via the NDA, retroactively rendered the hackers' access authorized - thereby erasing their felony," McKeown wrote. "But this is a false premise, inconsistent with the most plain and natural reading of the CFAA. In the statute, 'without authorization' modifies the present-tense verb 'accesses.' An actor's authorization, or lack thereof, is assessed at the moment of access.

"Because the hackers had not been given authorization by the time of access, their access was unauthorized. Their illegal conduct could not be laundered through an NDA," McKeown wrote.

At his appeal hearing this past October, Sullivan argued that Uber could change the terms of its bug-bounty program on a whim if it wanted to, and that he did not knowingly break the law.

McKeown dismissed that argument, noting that Sullivan used to be an assistant U.S. attorney in a computer hacking and IP unit, and surely knew that what he was doing was a felony.

"The jury's verdict in this case underscores the importance of transparency even in failure situations - especially when such failures are the subject of federal investigation. The verdict is not tainted by any of the claimed instructional or evidentiary errors, nor can it be overturned for insufficiency of the evidence. We affirm the district court in all relevant respects," McKeown wrote.

Sullivan's attorney Aravind Swaminathan vowed to continue the case. "While we are disappointed with the court's decision, we continue to have confidence in the merits of our appeal and believe the precedent on which the court relied is no longer good law. We are also concerned that today's opinion will unfairly and inappropriately put those who serve on the cybersecurity front lines at risk. Accordingly, we will now be turning our attention to further appellate review," Swaminathan said.

U.S. Circuit Judges Ana de Alba and Anthony Johnstone, both Joe Biden appointees, joined McKeown's opinion.

The Department of Justice did not respond to a request for comment on the panel's ruling.

Source: Courthouse News Service