Robyn Beck / AFP) (Photo by ROBYN BECK / AFP via Getty Images
Federal prosecutors have charged former Uber security chief Joe Sullivan with obstruction of justice for hiding a 2016 data breach from Federal Trade Commission investigators. Sullivan is now the chief security officer at Cloudflare.
In a statement sent via email, a Sullivan spokesman said the government's charges had "no value".
"From the outset, Sullivan and his team have worked closely with legal, communications and other relevant teams at Uber in accordance with the company's written guidelines," the spokesman wrote. "These guidelines made it clear that Uber's legal department – and not Mr. Sullivan or his group – was responsible for deciding whether and to whom the matter should be disclosed."
The criminal complaint filed on Thursday suggests that Uber's then-CEO Travis Kalanick was aware of the violation and Sullivan's efforts to cover it up. It is also acknowledged that Ubers General Counsel may have been aware of the breach by April 2017. However, it is argued that Sullivan kept others involved in Uber's FTC response in the dark about the incident.
Two violations every two years
In 2014, Uber suffered a data breach after hackers found cloud storage credentials hardcoded in the Uber source code that an Uber engineer accidentally posted on GitHub. The credentials enabled access to live data stored in Amazon's S3 cloud storage service. The hackers gained access to names and driver's license numbers for around 100,000 Uber drivers, as well as a much smaller number of bank account and social security numbers.
The violation sparked an investigation by the Federal Trade Commission. In November 2016, the FTC interviewed Sullivan. He had joined Uber in 2015 after five years as Facebook's chief security officer (we interviewed him in 2013 and 2014), so he hadn't been there during the 2014 injury. But as Uber's new chief security officer, it was his job to explain the situation to FTC investigators.
According to the criminal complaint, Sullivan "worked out that it was customary at the time to write access IDs and other secrets directly into code when that code needed information from another service."
Ten days after his testimony, Sullivan learned that Uber had suffered a second violation that was almost a repeat of the first. This time around, a hacker allegedly stole credentials to gain access to Uber's private code on GitHub. And that code still had some hard-coded Amazon S3 credentials. The hackers gained access to around 600,000 names and driver's license numbers.
Uber paid the hackers to keep quiet
Uber's security team immediately realized that it would be embarrassing to announce a second violation while the FTC was still investigating the first. "Information is extremely sensitive and we have to strictly control it," says an internal document.
As a result, Uber decided to treat the violation as part of its bug bounty program. As part of this program, Uber pays white hat hackers for information about vulnerabilities in its software. Typically, payments are less than $ 10,000, and hackers shouldn't take advantage of security vulnerabilities to access user data. In bug bounty cases, hackers can publicly disclose a vulnerability once Uber has resolved the vulnerability.
But Uber's lawyers wrote a special contract for these hackers. In return for an unusually high payment of $ 100,000, the hackers signed a strict non-disclosure agreement. The deal asked hackers to falsely state that they had not accessed user data.
According to prosecutors, Kalanick was aware of this plan. At 1:00 a.m. on November 15, Sullivan Kalanick texted him. "I have something sensitive that I would like to let you know when you have a minute," he wrote.
Ten minutes later – and probably after a phone call – Kalanick Sullivan wrote back. "We need to get certainty about what he has, sensitivity / disclosure of it and confidence that he can really treat this as a bounty situation … Resources can be flexible to put this to bed, but we need to document exactly. "
It took a full year for the FTC to learn of the 2016 violation. Kalanick was ousted from office as CEO of Uber in June 2017, and was replaced by Dara Khosrowshahi a few months later. Upon learning of the situation, Khosrowshahi fired Sullivan and reported the new violation to the FTC. The FTC withdrew a preliminary settlement agreement and the investigation lasted another year before the case was finally settled in 2018.
The government says Uber's cover-up may have prevented law enforcement from taking the hackers to justice earlier. In the year between the breach and Uber's disclosure, the couple used similar techniques to hack several other large companies. If Uber had reported the breach promptly, it is possible that the government would have caught the hackers responsible much sooner and saved some other companies from the same fate.
Who knew what and when?
The government complaint does not accuse Sullivan of directly lying to the FTC. But it shows Sullivan as the mastermind of Uber's efforts to keep the FTC in the dark.
Sullivan's press release suggests that he will fight the charges by arguing that he was not personally responsible for Uber's handling of the situation. The government letter confirms that Kalanick also knew the breach took place and approved an unusually large payment to the hackers to keep it under wraps. But the government claims few others at Uber knew about it.
For example, Sullivan was consulted on a draft letter Uber sent to the FTC in April 2017. He pointed to Uber's records of working with the agency, including his practice of voluntarily providing relevant information to the agency. In response, Sullivan wrote, "The letter looks fine to me."
The final version of this letter touted the new security measures Uber had put in place since the 2014 breach, including "full additional protection for the data Uber stores in S3 data store" and "company-wide improvements to credential protection and management. "
FBI agent Mario Scussel, author of the government complaint, wrote, "Based on my investigation, I do not believe that any of the people responsible for drafting the April 19 letter to the FTC brought the 2016 privacy breach to the attention has been." In a footnote, however, he backs up this general statement and admits that Ubers General Counsel may have known that the breach took place. He added, "I saw no evidence that the General Counsel knew the details such as the nature of the attack or the personal information stolen."