Former Uber CSO Charged With Covering Up 2016 Data BreachJoe Sullivan Accused of Making 'Hush Money' Bitcoin Payoff to Hackers
Uber's former chief security officer, Joseph Sullivan, has been charged with obstruction of justice for allegedly covering up the 2016 hack attack that compromised sensitive data for 57 million Uber passengers and drivers.
The charges were filed on Thursday by the U.S. Attorney’s Office for the Northern District of California, where Sullivan formerly served as a federal prosecutor.
"Instead of promptly revealing the 2016 hack, Sullivan covered it up by having Uber pay the hackers $100,000 in hush money," David Anderson, the U.S. attorney for that California district, said at a Thursday press conference.
Prosecutors have also accused Sullivan, 52, who resides in Palo Alto, California, of taking further, "deliberate steps" to conceal and mislead the Federal Trade Commission as well as everyone on Uber's management team about the full details of the 2016 breach.
Two men eventually pleaded guilty to hacking Uber as well as other firms and await sentencing.
Sullivan has also been charged with misprision - "the deliberate concealment of one's knowledge of a treasonable act or a felony." He faces up to eight years in prison - a maximum of five years on the obstruction charge and three years on the misprision charge.
"We continue to cooperate fully with the Department of Justice’s investigation," an Uber spokesperson says. "Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability."
At the Thursday press conference in San Francisco, Anderson was careful to laud both Silicon Valley's spirit of innovation as well as bug bounty programs - when they're used to pay white hat hackers. "It is perfectly OK for young companies to move fast and break things, but they cannot break the law," he said. "Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations; we will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments."
Former Federal Prosecutor
The charges are an unexpected turn for Sullivan, who formerly served as a federal prosecutor specializing in high-tech crime.
Bradford Williams, a spokesman for Sullivan, tells Information Security Media Group that the charges have "no merit," adding that "if not for Mr. Sullivan's and his team's efforts, it's likely that the individuals responsible for this incident never would have been identified at all."
Seven years out of law school, Sullivan served as an assistant U.S. attorney from 2000 to 2002. Later, he worked for eBay and PayPal, and then served as CSO of Facebook from 2010 to 2015 before becoming CSO of Uber from 2015 to 2017. He also served as a commissioner on President Obama's Commission on Enhancing National Cybersecurity.
Sullivan's tenure at Uber came to an end in November 2017 when he was fired, shortly after Uber's new management team first learned of the specifics of the breach and $100,000 payment. He now works as CSO of Cloudflare.
Alleged Cover-Up via Bug Bounty Program
The charges against Sullivan stem from his alleged response to two hackers in 2016 compromising an Uber database containing names and driver’s license numbers for about 600,000 Uber drivers, as well as personal information associated with 57 million Uber users and drivers (see: Uber Concealed Breach of 57 Million Accounts for a Year).
Prosecutors allege that Uber remained unaware of the data breach until the two hackers contacted Sullivan by email and demanded a six-figure payment in exchange for their silence, including not revealing the fact that they'd stolen information pertaining to 57 million Uber users and drivers.
Based on Nov. 15, 2016, written communications between former Uber CEO Travis Kalanick and Sullivan, prosecutors say it appears that Kalanick was informed about the potential data exposure, but that he told Sullivan via text message: "Need to get certainty of what he has, sensitivity/exposure of it and confidence that he can truly treat this as a [bug emoji] bounty situation … resources can be flexible in order to put this to bed but we need to document this very tightly."
An investigation launched by Sullivan found that the hackers took stolen credentials and accessed Uber source code stored on the GitHub software development hosting site. In the source code, Uber's developers had left credentials for Amazon Web Services that enabled the two men to access an Uber backup file stored on Amazon's S3 storage service, which contained the 57 million rider and driver details (see: Medical Records Exposed via GitHub Leaks).
2014 Breach Investigation
The charges filed Thursday against Sullivan stem, in part, from the fact that around the time he learned of the 2016 breach, he had been designated by Uber to share the details of a near-identical September 2014 hack - in which attackers accessed GitHub and stole sensitive data - with the FTC.
"The FTC demanded responses to written questions and required Uber to designate an officer to provide testimony under oath," Anderson said at the Thursday press conference. "Sullivan helped to prepare Uber's written responses and was the designated officer who gave the sworn testimony to the FTC. On Nov. 14, 2016, approximately 10 days after providing his testimony to the FTC, Sullivan learned of the 2016 hack. Sullivan did not report the 2016 hack as required. Instead, Sullivan hid the 2016 hack from the public and the FTC."
Prosecutors allege that Sullivan further hid the hack by funneling the payoff for the hackers through a bug bounty program. Uber had launched the bug bounty program in March 2016 through HackerOne - one of several companies that manage structured rewards programs to support companies' vulnerability disclosure programs.
"Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers refused to provide their true names," according to the criminal complaint against Sullivan, written by FBI Special Agent Mario C. Scussel.
Sullivan made the hackers sign a non-disclosure agreement that contained a false claim that they did not take or store the compromised data, according to the criminal complaint. When an unidentified Uber employee questioned Sullivan about the false claim, he allegedly insisted that the provisions in the NDA not be changed.
The U.S. attorney's office says the witness who provided that statement initially cited his rights under the Fifth Amendment and refused to be interviewed. But he later agreed to be interviewed in return for an agreement from federal prosecutors that his statements would not be used against him.
'No Lack of Security Knowledge or Care'
The criminal complaint against Sullivan notes that in April 2017, he also approved the wording of a letter being sent to the FTC, requesting that it close its investigation into Uber's 2014 breach. The letter included such statements as "Uber’s record of cooperation and engagement with FTC staff over the last 28 months has been exemplary" and that "the data security incidents at issue reflect no misdirected priorities, no failure to appreciate risks, and no lack of security knowledge or care."
The criminal complaint says that the 2016 Uber breach remained covered up until there was a change in Uber's management in 2017. And it says Sullivan told the new management team that the bug bounty had only been paid after Uber learned the real identities of the two men it paid.
"Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017. Since that time, Uber has responded to additional government inquiries," prosecutors say.
Following the public disclosure of the data breach in September 2018, Uber reached a $148 million settlement agreement with the attorneys general of all 50 states and the District of Columbia over its failure to report the breach in a timely manner, and it pledged to be more transparent.
Uber was also fined a total of more than $1 million by data protection authorities in both the U.K. and the Netherlands, over the security failures leading to the breach as well as its coverup.
In October 2019, the two men who received the $100,000 payoff pleaded guilty to conspiracy to commit extortion, and for also hacking other organizations, and for also attempting to shake down Lynda.com, now known as LinkedIn Learning. They face up to five years in prison and a fine of $250,000, but their sentencing has continued to be delayed.
"If Sullivan had promptly reported the Uber hack, those other hacks of those other companies may have been prevented," Anderson said.
But Sullivan has countered by saying that the response to this incident at Uber was a group effort, and that the group operated under instructions from the company's legal team. "This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world’s foremost security experts, Mr. Sullivan included," Sullivan's spokesman tells ISMG. "If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all. From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department - and not Mr. Sullivan or his group - was responsible for deciding whether, and to whom, the matter should be disclosed."
Cloudflare CEO Comments
Shortly after leaving Uber, in 2018, Sullivan joined infrastructure services firmware Cloudflare as its CSO.
In a post to Twitter on Thursday, Cloudflare CEO Matthew Prince said the allegations are "sad to see," adding: "I hope this is resolved quickly for Joe and his family."
Sad to see Joe Sullivan allegations. Joe's had a distinguished career as a US Attorney & exec at eBay, PayPal, Facebook, Uber & Cloudflare. Anytime an opportunity arose, Joe's advocated for us to be as transparent as possible. I hope this is resolved quickly for Joe & his family.— Matthew Prince (@eastdakota) August 20, 2020
A court date for Sullivan's arraignment has yet to be set.