Former Uber stability chief faces prison charges for hiding 2016 breach

Federal prosecutors have charged previous Uber stability main Joe Sullivan with obstruction of justice for hiding a 2016 details breach from Federal Trade Commission investigators. Sullivan is now the main protection officer at Cloudflare.

In an emailed assertion, a spokesman for Sullivan claimed the government’s charges have “no advantage.”

“From the outset, Sullivan and his staff collaborated closely with lawful, communications and other suitable teams at Uber, in accordance with the company’s published procedures,” the spokesman wrote. “People guidelines built obvious that Uber’s legal department—and not Mr. Sullivan or his group—was accountable for determining irrespective of whether, and to whom, the make a difference should really be disclosed.”

The prison grievance, submitted Thursday, implies that Uber’s then-CEO Travis Kalanick was knowledgeable of the breach and Sullivan’s efforts to deal with it up. It also concedes that Uber’s normal counsel might have been knowledgeable of the breach by April 2017. But it argues that Sullivan held other folks concerned in Uber’s FTC response in the dim about the incident.

Two breaches, two decades apart

In 2014, Uber endured a info breach just after hackers observed cloud storage credentials really hard-coded in Uber supply code that an Uber engineer unintentionally printed on GitHub. The qualifications supplied accessibility to live details stored on Amazon’s S3 cloud storage services. The hackers gained entry to names and driver’s license quantities for close to 100,000 Uber motorists, as very well as a substantially smaller sized variety of financial institution account and Social Safety figures.

The breach activated an investigation by the Federal Trade Fee. In November 2016, the FTC interviewed Sullivan. He experienced joined Uber in 2015 just after 5 decades as Facebook’s main security officer (we interviewed him in 2013 and 2014), so he hadn’t been around during the 2014 breach. But as Uber’s new stability main, it was his work to make clear the scenario to the FTC’s investigators.

In accordance to the legal criticism, Sullivan “elaborated that it was typical at the time to generate entry IDs and other tricks specifically into code when that code required to call for details from one more support.”

Ten times right after his testimony, Sullivan uncovered that Uber had endured a next breach that was a close to replay of the initial one. This time, a hacker reportedly stole credentials to gain entry to Uber’s private code on GitHub. And that code nevertheless experienced some tricky-coded Amazon S3 credentials. The hackers gained obtain to all around 600,000 names and drivers’ license figures.

Uber paid out the hackers to stay silent

Uber’s protection crew right away regarded that it would be embarrassing to announce a second breach although the FTC was even now investigating the 1st one particular. “Information is really delicate and we have to have to retain this tightly managed,” one inner document claimed.

So Uber determined to take care of the breach as aspect of its bug bounty plan. Below that program, Uber pays white-hat hackers for details about vulnerabilities in its software package. Ordinarily, payments are less than $10,000 and hackers are not meant to exploit vulnerabilities to accessibility consumer info. And in bug bounty instances, hackers are authorized to publicly disclose a vulnerability after Uber has fixed the vulnerability.

But Uber’s attorneys wrote a distinctive agreement for these hackers. In exchange for an unusually huge $100,000 payment, the hackers signed a strict non-disclosure settlement. The offer asked hackers to state—falsely—that they experienced not accessed any person facts.

In accordance to prosecutors, Kalanick was knowledgeable of this program. At 1am on November 15, Sullivan texted Kalanick. “I have a thing sensitive I’d like to update you on if you have a moment,” he wrote.

Ten minutes later—and presumably just after a telephone conversation—Kalanick texted Sullivan again. “Have to have to get certainty of what he has, sensitivity/exposure of it and self confidence that he can definitely treat this as a 🐛 bounty condition… means can be adaptable in get to set this to bed but we need to doc this incredibly tightly.”

It was a full year before the FTC learned about the 2016 breach. Kalanick was pressured out as Uber’s CEO in June 2017 and changed by Dara Khosrowshahi a pair of months later. When Khosrowshahi uncovered about the problem, he fired Sullivan and noted the new breach to the FTC. The FTC withdrew a tentative settlement settlement and the investigation dragged on for yet another yr right before the situation was lastly settled in 2018.

The feds say Uber’s protect-up might have prevented regulation enforcement from bringing the hackers to justice before. In the 12 months involving the breach and Uber’s disclosure of it, the pair employed very similar methods to hack quite a few other large firms. If Uber had described the breach instantly, it is feasible that the feds would have caught the hackers liable a lot previously and saved some other companies from the exact destiny.

Who knew what, and when?

The government’s complaint would not accuse Sullivan of specifically lying to the FTC. But it portrays Sullivan as the mastermind of Uber’s endeavours to keep the FTC in the darkish.

Sullivan’s push assertion implies that he will combat the prices by arguing that he was not personally accountable for Uber’s handling of the situation. The government’s quick acknowledges that Kalanick also understood the breach occurred and approved an unusually big payment to the hackers to keep it below wraps. But the govt claims that few some others at Uber understood about it.

For case in point, Sullivan was consulted on a draft of a letter Uber sent to the FTC in April 2017. It touted Uber’s history of cooperation with the company, together with its follow of voluntarily submitting applicable information to the agency. In reaction, Sullivan wrote, “Letter seems to be okay to me.”

The last model of that letter touted the new stability measures Uber had set into location due to the fact the 2014 breach, which include “substantial more protections for the information it outlets [Uber] stores in the S3 datastore” and “company-huge advancements in credential safety and management.”

FBI agent Mario Scussel, the writer of the federal government grievance, wrote that “primarily based on my investigation, I do not believe that any of the persons liable for drafting the April 19 letter to the FTC experienced been created aware of the 2016 info breach.” But in a footnote, he hedges this broad statement, acknowledging that Uber’s standard counsel could have recognized the breach occurred. He added, “I have seen no evidence that the standard counsel was mindful of the details, this kind of as the nature of the assault or the PII that was stolen.”