Joe Sullivan, the former head of security at Uber has been charged with obstruction of justice and concealing a felony by US prosecutors.
Sullivan, who is currently chief security officer at Cloudflare, was CSO at Uber in October 2016 when two attackers took the personal information of millions of Uber customers.. Uber paid the criminals $100,000 to delete the data, and failed to notify the authorities, or the customers affected. A year later, in November 2017, incoming Uber CEO Dara Khosrowshahi found out and sacked then-CSO Sullivan.
Last week, following an investigation by the FBI, prosecutors from the Corporate Fraud Strike Force of the US Attorney’s Office issued a summons and held a press conference, alleging Sullivan played a role in Uber paying $100,000 in Bitcoin to the attackers.
According to the DoJ, Sullivan had previously played a pivotal role, when Uber responded to the Federal Trade Commission’s (FTC) inquiries about a previous incident when it was hacked back in 2014. The prosecutors said that on November 14, 2016, 10 days after providing testimony to the FTC, Sullivan received an email from a hacker informing him that Uber had been breached again. Sullivan’s team was able to confirm the breach within 24 hours of his receipt of the email.
A total of 57 million Uber customers' data was stolen by hackers off of an AWS database. The hackers stole the data by accessing Uber’s source code on GitHub and via stolen credentials, located AWS credentials in the code, and opened an S3 bucket on AWS containing the database.
Sullivan, according to prosecutors, passed off the attack as a response to a legitimate approach in which security professionals were paid under a bug bounty for revealing a security flaw. The DoJ’s complaint suggests Sullivan and his team of security analysts tracked down the hackers and made them sign non-disclosure agreements (NDA) despite not initially having their names. Later, Uber made the hackers sign another NDA with their identities revealed, but prosecutors say it “contained a false representation that the hackers did not take or store any data.”
“Silicon Valley is not the Wild West,” said US Attorney David Anderson, “we expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments.”
“Concealing information about a felony from law enforcement is a crime,” said Deputy Special Agent in Charge, Craig D. Fair. “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”
The law is the law
Prosecutors say Sullivan deceived Uber’s new management team about the 2016 breach by not providing enough “critical” details about the breach. When Uber named Dara Khosrowshahi as its CEO in August 2017, Sullivan allegedly edited a draft summary of the incident that was emailed to the new CEO. The DoJ says his edits removed details about the stolen data and lied about the payment being made only after the hackers had been identified.
The two hackers, later identified by Uber, were arrested and prosecuted in the Northern District of California. Brandon Glover, 26, an American from Florida, and Vasile Mereacre, 23, a Canadian from Toronto, also attacked LinkedIn's Lynda.com as well as Uber.
Law enforcement arrested Glover first and Mereacre was arrested in October 2018, when he visited Miami, Florida.
The two pleaded guilty in a California court. The two face up to five years in prison and a fine of $250,000, each. Sentencing has yet to take place.
The former Uber CSO, who was previously CSO at Facebook from 2010 to 2015, is charged with obstruction of justice, in violation of 18 U.S.C. § 1505; and misprision of a felony, in violation of 18 U.S.C. § 4. Sullivan’s initial court appearance has not yet been scheduled.
If he is found guilty, Sullivan faces a maximum statutory penalty of five years in prison for the obstruction charge and a maximum three years in prison for the misprision charge.
Update: a spokesman for Mr Sullivan sent the following statement:
"There is no merit to the charges against Mr. Sullivan, who is a respected cybersecurity expert and former Assistant U.S. Attorney.
"This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world’s foremost security experts, Mr. Sullivan included. If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all. From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department -- and not Mr. Sullivan or his group -- was responsible for deciding whether, and to whom, the matter should be disclosed."
In 2017, Uber’s CEO Dara Khosrowshahi said in a blog post: “I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
Sullivan was fired along with another employee. After six months self-employed,. he was hired as CSO at Cloudflare. Matthew Prince, CEO of Cloudflare, is backing Sullivan, tweeting: "Joe's had a distinguished career as a US Attorney & exec at eBay, PayPal, Facebook, Uber & Cloudflare. Anytime an opportunity arose, Joe's advocated for us to be as transparent as possible. I hope this is resolved quickly for Joe & his family."