The New York Times reported that on Aug. 20, U.S. Attorney for the Northern District of California David Anderson announced that a criminal complaint was filed against Uber's former Chief Security Officer, Joseph Sullivan, for obstruction of justice and misprision of a felony in attempting to conceal the 2016 hack on the company's database. If found guilty, he could face eight years imprisonment.
Sullivan, 52, served as the ridesharing giant's security officer from April 2015 and November 2017.
2014 Data Breach
The complaint alleges that between May 2015 and November 2016, the Federal Trade Commission (FTC) conducted inquiries of the company's 2014 data breach. The FTC required written responses to several questions and a designated Uber officer to provide testimony under oath. Sullivan fulfilled that role and "participated in conference calls with FTC attorneys; reviewed Uber’s submissions to the FTC; gave a presentation to FTC staff in Washington, D.C.; and sat for a sworn investigative hearing similar to a deposition. Sullivan was therefore intimately familiar with the nature and scope of the FTC’s investigation, and he held himself out as familiar with that investigation."
2016 Data Breach
However, in November 2016, Sullivan allegedly learned of a recent data breach, which occurred approximately ten days after his sworn testimony. He failed to report it to authorities. Instead, the complaint states, he "engaged in a scheme to withhold and conceal from the FTC both the hack itself and the fact that the data breach had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers."
Two hackers, later known as Brandon Charles Glover and Vasile Mereacre, contacted Sullivan via email, admitted they had "accessed and downloaded an Uber database containing personally identifying information (PII) associated with approximately 57 million Uber users and drivers," and clearly expressed "a six-figure payout."
Uber began its own investigation to validate the data breach. That day, the "security team realized an unauthorized person or persons had accessed [Amazon Web Services] and obtained, among other things, a copy of a database containing approximately 600,000 drivers’ license numbers for Uber drivers." Interestingly, Sullivan realized that the method used for the 2014 breach was nearly identical to the 2016 breach: "the attackers were able to access Uber’s source code on GitHub (this time by using stolen credentials), locate an AWS credential, and use that credential to download Uber’s data."
Based on Uber's internal documents and employee witness statements, the Federal Bureau of Investigation (FBI) found that Sullivan "instructed his team to keep knowledge of the 2016 Breach tightly controlled," "stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out," and that "the company was going to treat the incident under its 'bug bounty' program."
A bug bounty program is "designed to incentivize white-hat hackers, or 'researchers,' to identify security vulnerabilities by offering a monetary reward in exchange for such efforts. However, the terms and conditions of Uber’s bug bounty program did not authorize rewarding a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems."
The complaint stated that Uber arranged to pay hush money, valued at $100,000 in bitcoin, to the hackers before learning of their real identities. The bug bounty program "had never awarded a bounty even close to $100,000 and had a nominal cap of $10,000."
Sullivan also had the hackers sign Non-Disclosure Agreements (NDAs), another non-standard bug bounty policy. The NDA stated the hackers had not stolen personal data, which both Sullivan and the hackers knew was a false representation.
In September 2017, Uber hired a new CEO. Sullivan's security team put together a brief for him that accurately provided details that about the 2016 hack including that the hackers accessed "potentially all rider and driver data in plaintext,” and hackers "'still had possession of our data' when they reached out to Uber in November 2016." Sullivan changed "all" to "some" and "removed any admission that the hackers actually took the data."
Ultimately, the new CEO learned the truth, fired Sullivan, and released a public statement about the 2016 data breach in November 2017.
According to the New York Times, Sullivan is currently the chief information security officer at the internet company Cloudflare.
Because Sullivan did not report the hack, withheld information from law enforcement and the public, and attempted to cover-up the data breach, he is being charged with:
In October 2019, the hackers, Glover, a Florida man, and Mereacre, a Canadian National, pleaded guilty to "an extortion conspiracy involving a plot to extract bounties from victim corporations in exchange for the defendants’ promise to delete stolen confidential data." The victim companies are Uber and LinkedIn. According to the Justice Department, "The maximum statutory penalty for conspiracy to commit extortion involving computers is five years imprisonment and a fine of $250,000. The court may also order an additional term of supervised release and restitution; however, any sentence will be imposed by the court only after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553."
“Silicon Valley is not the Wild West,” said U.S. Attorney Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments.”
Sullivan's spokesperson, Bradford Williams, said to The New York Times, "If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all...Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”