Uber’s former chief security officer was charged on Thursday for covering up the company’s 2016 security breach, during which hackers stole the personal details of 57 million Uber customers and the details of 600,000 Uber drivers.
Prosecutors in Northern California are charging Joe Sullivan, 52, who served as Uber CSO between April 2015 and November 2017, when Uber changed its CEO and most of its management team.
According to court documents, DOJ officials claim that Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the [2016] breach.”
Speaking at a press conference today (see video below), US Attorney for the Northern District of California David Anderson said that by hiding the Uber hack from authorities and management, Sullivan indirectly helped the hackers breach other companies.
“This office charged the hackers and last year, and they pleaded guilty,” Anderson said. “In their guilty pleas, the hackers admitted to hacking other companies using similar techniques to those used in the Uber hack.
“If Sullivan had promptly reported the Uber hack those other hacks of those other companies may have been prevented,” Anderson said.
How the 2016 Uber hack unfolded
But to understand what happened behind the scenes, we must combine details put forward by the DOJ today and court documents from the DOJ’s case against the Uber hackers — namely, Brandon Glover, 26, an American from Florida, and Vasile Mereacre, 23, a Canadian from Toronto.
Per these two sets of documents, the Uber hack took place after the two hackers used a custom-built tool to gain access to GitHub accounts.
Glover and Mereacre specifically targeted the accounts of employees working for large corporations, gained access to their GitHub profiles, and then searched through the employee’s projects for sensitive passwords and credentials.
This is how the two hackers got their hands on Amazon Web Services (AWS) credentials for Uber’s backend infrastructure, where they found and subsequentially downloaded details for 57 million Uber customers and 600,000 Uber drivers.
Per court documents, the two hackers reached out to Sullivan via email, claiming they “found a major vulnerability,” provided a sample of the stolen data, and then requested a $100,000 payment in bitcoin to reveal the company’s security hole.
Court documents unsealed today reveal that at the time Sullivan received this email, on November 14, Sullivan had just submitted a written testimony to the FTC about a 2014 security breach, during which a hacker stole the names and drivers licenses of about 50,000 drivers.
Prosecutors say that Sullivan and his security team confirmed the validity of the hackers’ sample data within 24 hours of receiving the email, but instead of notifying the FTC of this new security breach, Sullivan agreed to pay the hackers’ “hush money.”
Court documents filed today show conversations Sullivan had with then-Uber CEO Travis Kalanick about the security breach, with Kalanick giving the go-ahead for the hackers to receive their ransom in the form of a bug bounty program payout.
Investigators say that Sullivan proceeded with this plan and arranged for the hackers to sign a non-disclosure agreement even without knowing their real names. This initial contract was signed, and the bounty paid in December 2016 via the company’s HackerOne bug bounty program.
However, US prosecutors say that when Uber’s security team tracked down and identified the two hackers, instead of notifying authorities, Sullivan had the two hackers re-sign their confidentiality agreement in their true names.
Furthermore, the DOJ complaint claims that Sullivan insisted on the hackers signing a contract that claimed they had not taken any of Uber’s data, knowing this statement was false.
“When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements,” the DOJ said today in a press release.
New management comes in, exposes hack
Things then calmed down, but only until August 2017, when Uber’s board ousted Kalanick and replaced him with Dara Khosrowshahi.
The DOJ says that Sullivan notified the new management team about the 2016 security incident, but continued to cover up the hack.
“Specifically, Sullivan failed to provide the new management team with critical details about the breach,” the DOJ said. “In September 2017, Sullivan briefed Uber’s new CEO about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.”
But despite the issue being resolved, the new Uber CEO disclosed the breach to the public in November 2017. This disclosure was followed by an FBI investigation, which quickly identified and arrested the hackers, both of which pleaded guilty in October 2019.
As the FBI investigated and gained access to the company’s internal communications, they also started to understand Sullivan’s role in covering up the 2016 breach.
“Silicon Valley is not the Wild West,” said Anderson today. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Sullivan was charged today with obstruction of justice and misprision of a felony in connection to the 2016 hack and subsequent cover-up. If found guilty on both charges, Sullivan risks maximum prison sentences of five and three years, respectively.
As NPR pointed out today, before serving as a CSO at Uber, Sullivan had previously spent two years prosecuting computer hacking crimes as an assistant US Attorney in the very same office that charged him today.