Robyn Beck / AFP) (Photo by ROBYN BECK / AFP via Getty Images
Federal prosecutors have accused former Uber security chief Joe Sullivan of obstructing justice for concealing a 2016 breach of data by Federal Trade Commission investigators. Sullivan is now the Chief Security Officer at Cloudflare.
In a statement, the Sullivan spokesman said in a statement that “the government’s have no merit.
“From the outset, Sullivan and his team have worked closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies,” the spokesman wrote. “That policy made it clear that Uber’s legal department – and not Mr Sullivan as his group – was responsible for deciding whether, and to whom, the case should be disclosed.”
The criminal complaint, filed Thursday, suggests that Uber’s then-CEO Travis Kalanick was aware of Sullivan’s intrusion and striving to cover it up. It also acknowledges that Uber’s general board has been aware of the breach until April 2017. But it claims that Sullivan kept others involved in Uber’s FTC response in the dark about the incident.
Two burglaries, two years apart
In 2014, Uber got a data breach after hackers found cloud storage references hard-coded in Uber source code that an Uber engineer accidentally posted on GitHub. The references provided access to live data stored on Amazon’s S3 cloud storage service. The hackers gained access to names and driver’s license numbers of about 100,000 Uber drivers, as well as a much smaller number of bank accounts and social security numbers.
The breach triggered an investigation by the Federal Trade Commission. In November 2016, the FTC interviewed Sullivan. He had joined Uber in 2015 after five years as Facebook’s chief security officer (we interviewed him in 2013 and 2014), so he had not been there during the 2014 divorce. to explain to FTC investigators.
According to the criminal complaint, Sullivan worked out that it was common at the time to write access IDs and other secrets directly in code when that code was needed to request information from another service. “
Ten days after his testimony, Sullivan learned that Uber had suffered a second burglary that was an almost replay of the first. This time, a hacker stole logins to access Uber’s private code on GitHub. And that code still had some hard-coded Amazon S3 references. The hackers gained access to about 600,000 names and driver’s license numbers.
Uber paid the hackers to keep quiet
The Uber security team immediately acknowledged that it would be embarrassing to announce a second breach, while the FTC is still investigating the first. “Information is extremely sensitive and we need to keep it tightly controlled,” said one internal document.
That Uber decided to treat the intrusion as part of its bug-bounty program. Under that program, Uber pays white-hat hackers for information about vulnerabilities in their software. Basically, payments are less than $ 10,000 and hackers are not meant to exploit vulnerabilities to gain access to user data. And in bug-bounty cases, hackers can publicly disclose a vulnerability once Uber has fixed the vulnerability.
But Uber’s lawyers wrote a special contract for these hackers. In exchange for an unusually large payment of $ 100,000, the hackers signed a strict agreement without disclosure. The deal prompted hackers to – falsely – state that they did not have access to user data.
According to prosecutors, Kalanick was aware of this plan. At 1 a.m. on Nov. 15, Sullivan Kalanick texted. “I have something sensitive that I would update you on if you had a minute,” he wrote.
Ten minutes later – and perhaps after a telephone conversation – SMS Kalanick Sullivan returned. “Must have certainty about what he has, sensitivity / exposure to it and confidence that he can really treat this as a bounty situation … sources may be flexible to put this to bed, but we need to document this very closely.”
It was a full year before the FTC learned about the 2016 burglary. Kalanick was forced into Uber as CEO of Uber in June 2017 and replaced by Dara Khosrowshahi a few months later. When Khosrowshahi knew about the situation, he fired Sullivan and reported the new breach to the FTC. The FTC withdrew a tentative settlement agreement and the investigation dragged on for another year before the case was finally settled in 2018.
The feds say the cover-up of Uber law enforcement may have prevented the hackers from being brought to justice sooner. In the year between breaking up and revealing Uber it, it used a few similar techniques to hack several other large companies. If Uber had reported the breach immediately, it is possible that the feds caught the responsible hackers much earlier and rescued some other companies from the same fate.
Who knew what, and when?
The government’s complaint accuses Sullivan of not lying directly to the FTC. But it portrays Sullivan as the mastermind of Uber’s efforts to keep the FTC in the dark.
Sullivan’s press release suggests he will fight the accusers, arguing that he was not personally responsible for Uber’s handling of the situation. The government’s brief government acknowledges that Kalanick also knew the burglary was happening and authorized an unusually large payment to the hackers to keep it under wraps. But the government claims that few others at Uber knew about it.
For example, Sullivan was consulted on a draft of a letter Uber sent to the FTC in April 2017. It touted Uber’s record of cooperation with the agency, including its practice of voluntarily submitting relevant information to the agency. In response, Sullivan wrote, “Letter looks ok to me.”
The final version of that letter touted the new security measures that Uber had in place since the 2014 intrusion, including “comprehensive additional protections for the data it stored. [Uber] stores in the S3 datastore “and” company-wide improvements in reference protection and management. “
FBI agent Mario Scussel, the author of the government’s complaint, wrote that “based on my investigation, I do not believe that any of the persons responsible for compiling the April 19 letter to the FTC was made aware of the data breach of 2016. ” But in a footnote, he hedged this broad statement, acknowledging that Uber’s attorney general may have acknowledged that the breach occurred. He added, “I have not seen any evidence that the attorney general was aware of the details, such as the nature of the attack or the PII that was stolen.”
