Former Uber CSO Faces New Charge for Alleged Breach Cover-UpFeds Accuse Joe Sullivan of Using Bug Bounty to Hide 2016 Hack Attack and Breach
A federal grand jury has expanded the list of charges filed against the former chief security officer of Uber, who's been accused of a criminal data breach cover-up.
Joe Sullivan, 52, who served as Uber's CSO from April 2015 through November 2017, faces a new charge of wire fraud over a 2016 hack of the ride-sharing service, which resulted in the exposure of 57 million user and driver records. Sullivan now serves as the CSO of internet infrastructure services giant Cloudflare.
The Department of Justice first announced in August 2020 that Sullivan had been charged with obstruction of justice and deliberately concealing a felony. If convicted of those charges, Sullivan faces up to eight years in prison and a $500,000 fine.
On Wednesday, the Department of Justice announced that a federal grand jury had handed down a superseding indictment, adding a third charge: three counts of wire fraud, tied to Sullivan having allegedly attempted to defraud 600,000 Uber drivers by failing to inform them that their driver's license numbers had been exposed. Each wire fraud count carries a maximum sentence of 20 years in prison and a $250,000 fine.
A court date for Sullivan's arraignment on the new charge has yet to be set.
Feds Allege 'Hush Money' Paid to Hackers
The government's case hinges on Sullivan's alleged failure to report a 2016 data breach to authorities, which prosecutors accuse him of having mischaracterized as a less severe security incident, together with his allegedly paying hackers "hush money" to conceal the breach.
When hackers emailed Uber in November 2016 to inform it of a breach they had perpetrated, the ride-sharing service was in the process of providing detailed answers to the Federal Trade Commission, stemming from a September 2014 breach. Prosecutors say that as the person nominated by Uber to provide sworn testimony to the FTC, Sullivan should have immediately disclosed the breach to the FTC and - in accordance with California's data breach notification law - Uber should have notified all affected state residents that their personal details had been obtained by attackers.
"Institutions that store personal information of others must comply with the law," says Stephanie M. Hinds, the acting U.S. Attorney for the Northern District of California, where Sullivan formerly served as a federal prosecutor.
"When hacks like this occur, state law requires notice to victims," Hinds said. "Federal law also requires truthful answers to official government inquiries. The indictment alleges that Sullivan failed to do either. We allege Sullivan falsified documents to avoid the obligation to notify victims and hid the severity of a serious data breach from the FTC, all to enrich his company."
Uber's Hackers Plead Guilty
The two men who stole the data from Uber in 2016 demanded payment in exchange for having found and reported to the company the flaw they had exploited. They received $100,000 in bitcoins, which Uber sent to them in the form of a bug bounty payoff, in exchange for the men signing - although neither disclosed their name - a nondisclosure agreement and statement saying they had deleted any stolen data.
"The nondisclosure agreements falsely stated the hackers had neither taken nor stored Uber's data in the 2016 breach," the Justice Department says. "In addition, Sullivan allegedly misrepresented to Uber's new chief executive officer the nature and scope of the data that was compromised; falsely suggested to the new CEO that the incident was not a data breach; and sent an email falsely claiming that the data breach was not, in fact, a data breach at all, but rather an incident that was no more severe than other security incidents."
In January 2017, Uber successfully identified the two men and secured new NDAs from them, bearing their true names.
Prosecutors subsequently filed charges against the two men over the hack of Uber and a later hack against Lynda.com, in which they also attempted to extort the business into paying them hush money to not make details of the breach public. In October 2019, the two men pleaded guilty to computer fraud conspiracy charges; they have yet to be sentenced.
Sullivan was fired in 2017 after Uber's new CEO learned the full particulars of the breach and the $100,000 payment. The Justice Department says Uber has continued to assist with the FBI's breach investigation.
"If Mr. Sullivan had immediately reported the breach - instead of misleading the government by withholding information - the FBI could have been better able to assist Uber; also, the data breach of at least one additional large tech company may have been prevented," says Craig D. Fair, the special agent in charge of the bureau's San Francisco division.
"This case should serve as an example to corporations and company executives that working with the FBI is crucial when dealing with the aftermath of a breach; such communication is a best practice in preventing the loss of data and private information," Fair says.
Sullivan Denies Allegations
Sullivan could not be immediately reached for comment on the new charge. But a spokesman for Sullivan last year dismissed the case as being "without merit."
"This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world's foremost security experts, Mr. Sullivan included," his spokesman, Brad Williams, told Information Security Media Group in August 2020.
"If not for Mr. Sullivan's and his team's efforts, it's likely that the individuals responsible for this incident never would have been identified at all," he added. "From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company's written policies. Those policies made clear that Uber's legal department - and not Mr. Sullivan or his group - was responsible for deciding whether, and to whom, the matter should be disclosed."
Takeaways for CSOs and CISOs
Security experts have questioned whether Sullivan is being scapegoated for decisions made in conjunction with other senior managers at Uber (see: Implications for CSOs of Charges Against Joe Sullivan).
Regardless, Mark Rasch, who's of counsel to the law firm of Kohrman, Jackson & Krantz, has said that the case highlights a number of best practices that all CSOs and CISOs should follow.
"At a minimum, keep your lawyer advised of what you are doing, and get them to approve it. And if your lawyer tells you to do something you think is a crime, get another lawyer - or at least a second opinion," Rasch said. "Nobody has paid me enough money as a lawyer to go to jail for them - at least not yet."