Former Uber Security Chief Charged For Data Breach Cover-Up

Federal prosecutors in the United States have formally charged the former head of security at Uber, for concealing its controversial data breach in 2016.

As a reminder, it was reported that Uber had suffered a cyberattack in November 2016, which exposed data from 57 million customers and drivers.

No financial details or journey records were said to have been taken by the hacker, but the attackers were paid $100,000 in bitcoin to delete the files. That said, some personal information was stolen and there were no guarantees the data was actually destroyed.

Uber breach

To make matters worse, Uber used its “bug bounty” program (normally used to identify small code vulnerabilities), to pay off the hackers (one of whom was to be an unidentified 20-year-old man in Florida).

Uber came clean about the incident in November 2017, after new CEO Dara Khosrowshahi said he only became aware of the breach recently.

Khosrowshahi had only joined the company earlier in 2017.

Read More: What on Earth was Uber thinking?

But Khosrowshahi’s admission that Uber had not revealed the breach for over a year prompted an investigation by European authorities.

The British Information Commissioner’s Office (ICO) fined the company 385,000 pounds ($490,760), while the Dutch Data Protection Authority (DPA) slapped Uber with a 600,000 euro ($678,780) fine.

Uber in September 2018 also announced that it would pay $148m (£113m) in order to settle legal action over the attack.

DoJ Charges

And now the US Department of Justice has announced that former Uber security boss Joseph Sullivan has been charged in a federal court for “obstruction of justice and misprision of a felony in connection with the attempted cover-up of the 2016 hack of Uber Technologies.”

According to the complaint, between April 2015 and November 2017, Sullivan, 52, of Palo Alto, California served as Uber’s Chief Security Officer.

“During this time, two hackers contacted Sullivan by email and demanded a six-figure payment in exchange for silence,” the charges read. “The hackers ultimately revealed that they had accessed and downloaded an Uber database containing personally identifying information, or PII, associated with approximately 57 million Uber users and drivers.”

According to the DoJ, this database included the drivers’ license numbers for approximately 600,000 people who drove for Uber.

The criminal complaint alleges that Sullivan took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach.

“Silicon Valley is not the Wild West,” said US Attorney David Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

“Concealing information about a felony from law enforcement is a crime,” said deputy special agent in charge Craig Fair. “While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”

Breach cover-up

According to the charges, Uber had been hacked in September 2014 and the FTC was gathering information about that 2014 breach.

Sullivan assisted in the preparation of Uber’s responses to the written questions and was designated to provide sworn testimony on a variety of issues. But reportedly on 14 November 2016, approximately 10 days after providing his testimony to the FTC, Sullivan received an email from a hacker informing him that Uber had been breached again.

Sullivan’s team was able to confirm the breach within 24 hours of his receipt of the email.

Sullivan then allegedly went rogue and rather than report the 2016 breach, he took deliberate steps to prevent knowledge of the breach from reaching the FTC.

The charges cited Sullivan paying off the hackers via the bug bounty program, despite the fact that the hackers had refused to provide their true names.

In addition, Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data. When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements.

And in a further development it seems that Uber personnel were subsequentially able to identify two of the individuals responsible for the breach.

Sullivan then arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names.

The new agreements retained the false condition that no data had been obtained.

Misleading management

Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017.

The criminal complaint also alleges Sullivan deceived Uber’s new management team about the 2016 breach.

Specifically, Sullivan failed to provide the new management team with critical details about the breach. In September 2017, Sullivan briefed Uber’s new CEO (Khosrowshahi) about the 2016 incident by email.

Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits allegedly removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.

The two hackers identified by Uber were later prosecuted in the Northern District of California.

Both pleaded guilty on 30 October 2019, to computer fraud conspiracy charges and now await sentencing.