Federal Charges for Covering Up Data Breach
In October 2022, after a four-week trial, a federal jury in San Francisco convicted Joseph Sullivan, the former Chief Security Officer of Uber, of obstruction of proceedings of the Federal Trade Commission (“FTC”) and misprision of felony in connection with his attempted cover-up of a 2016 hack of Uber.
“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” Special Agent Robert K. Tripp, who’s in charge of the FBI’s San Francisco office, said in a press release. “The FBI and our government partners will not allow rogue technology company executives to put American consumers’ personal information at risk for their own gain.”
“Technology companies in the Northern District of California collect and store vast amounts of data from users,” said U.S. Attorney Stephanie M. Hinds. “We expect those companies to protect that data and to alert customers and appropriate authorities when hackers steal such data. Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
Sullivan’s crimes tie into two hacks of Uber’s databases in 2014 and 2016. Though he did not start as the company’s chief security officer until April 2015, he played a central role in Uber’s response about the 2014 breach (which exposed between 50,000 and 100,000 consumers’ personal information, including their names and driver’s license numbers) and testified to the FTC. His testimony occurred 10 days before two hackers struck again – this time stealing 57 million Uber user records and 600,000 driver license numbers via a private GitHub coding site used by Uber software engineers that led them to access data stored on an Amazon Web Services account that included an archive of rider and driver information.
Instead of telling the FTC about this breach, Sullivan instead worked to cover it up and executed a scheme to prevent any knowledge of the breach from reaching the FTC. For example, Sullivan told a subordinate that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist.” He then orchestrated a secret $100,000 bitcoin payout to the hackers as well as a nondisclosure agreement that contained the false representation that the hackers did not take or store any data in their hack.
Uber paid the hackers $100,000 in bitcoin in December 2016, even though the hackers had refused to provide their true names. After identifying the two hackers in January of 2017, Uber required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else. Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies besides Uber. Sullivan never mentioned the second breach to Uber lawyers (including Uber’s General Counsel) handling the FTC’s inquiry, but Travis Kalanick, Uber’s co-founder and CEO at the time, learned about the hack in November 2016. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016, supported fully by Sullivan, without disclosing the 2016 data breach to the FTC.
In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO (Dara Khosrowshahi) what happened, Sullivan lied and told Khosrowshahi that the hackers had only been paid after they were identified and failed to initially report that the hack had involved personally identifying information and a very large quantity of user data. Sullivan also lied to Uber’s outside lawyers investigating the incident. The truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017. Khosrowshahi asked for the resignation of Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan.
Uber agreed to a settlement with the attorneys general of all 50 states and the District of Columbia regarding the 2016 data breach. Uber agreed to pay a record $148 million penalty for concealing the breach.
The two hackers identified by Uber were ultimately prosecuted in the Northern District of California. The separate guilty pleas entered by the hackers demonstrate that after Sullivan assisted in covering up the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity—Lynda. com—and attempt to ransom that data as well.
In finding Sullivan guilty, the jury concluded he obstructed justice, in violation of 18 U.S.C. § 1505, and that he committed misprision of felony (i.e., knew that a federal felony had been committed and took affirmative steps to conceal that felony), in violation of 18 U.S.C. § 4. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge. Sullivan remains free on bond pending sentencing. His sentencing will be set at a later date.
Timeline for Uber Breaches and Subsequent Activities
Here is a high-level timeline for the two Uber breaches and subsequent activities, including FTC notifications and cover-up activities:
- May 12, 2014: Threat actors accessed personal data of Uber customers and drivers contained in an AWS S3 bucket, exposing between 50,000 and 100,000 consumers’ personal information.
- September 2014: Uber’s security team discovered the intrusion and began investigating the incident.
- February 2015: Uber disclosed the attack to the FTC, which also began an investigation into the incident.
- April 2, 2015: Uber hired Joe Sullivan as its chief security officer.
- November 4, 2016: Sullivan provided sworn testimony to the FTC regarding its investigation into the 2014 breach, which occurred before Uber hired him.
- November 14, 2016: Sullivan received an email from anonymous threat actors claiming they exploited a “major vulnerability” and obtained access to an Uber database. Uber’s security team investigated and confirmed the claim.
- November 15, 2016: According to records of text messages, Sullivan contacted then-CEO Travis Kalanick about a “sensitive” matter. Kalanick spoke with Sullivan and then sent a text message discussing how the matter could be treated “as a [bug] bounty situation.”
- December 8, 2016: Using HackerOne’s bug bounty platform, Uber authorized a $100,000 payment to the threat actors behind the breach, who signed non-disclosure agreements regarding the incident.
- January 2017: Uber’s security team identified the threat actors behind the breach and made them execute new copies of the non-disclosure agreements in their true names.
- April 19, 2017: Uber sent a letter to the FTC requesting the commission close its investigation into the company’s 2014 data breach, touting its full cooperation with the FTC and implementation of “numerous and extensive additional protections” for data stored in its S3 buckets to prevent a repeat of the 2014 incident. The letter did not disclose the 2016 breach.
- June 21, 2017: Kalanick stepped down as CEO of Uber following a number of scandals.
- August 15, 2017: Uber and the FTC agreed to a proposed settlement regarding the company’s 2014 breach. The settlement prohibited Uber from misrepresenting its security practices and required the company to implement a comprehensive privacy program and to undergo third-party audits every two years for the next 20 years.
- Aug. 29, 2017: Uber named Dara Khosrowshahi as its new CEO.
- September 2017: Sullivan was asked to brief Khosrowshahi about the 2016 data breach, but his briefing omitted key details about the breach.
- November 21, 2017: Khosrowshahi disclosed the 2016 breach with an apology for not disclosing the incident earlier and Bloomberg was the first to report that Sullivan and Clark were asked to resign for concealing the breach and paying off the hackers.
- April 12, 2018: The FTC announced it withdrew the proposed settlement with Uber regarding the 2014 data breach and criticized the company for concealing the 2016 breach during its initial investigation.
- August 2, 2018: A grand jury indicted the two hackers with attempted extortion from Lynda.com (owned by LinkedIn).
- September 26, 2018: Uber agreed to a settlement with the attorneys general of all 50 states and the District of Columbia regarding the 2016 data breach. Uber agreed to pay a record $148 million penalty for concealing the breach.
- October 26, 2018: The FTC approved a revised settlement with Uber, making Uber subject to civil penalties for any failures to disclose future breaches or security incidents involving unauthorized access to customer and driver data.
- October 30, 2019: The Department of Justice announced that the two hackers pleaded guilty to conspiracy to commit extortion in a superseding indictment related to the Uber data breach and admit Uber paid them $100,000 via HackerOne under the guise of a bug bounty.
- August 21, 2020: Sullivan was charged with one count of obstruction of justice and one count of misprision of a felony. Authorities claimed Sullivan covered up the 2016 breach from the public and the FTC to obstruct the FTC’s investigation into Uber’s security practices.
- September 7, 2022: Sullivan’s jury trial began in the US district court in San Francisco.
- October 5, 2022: Sullivan was found guilty by a jury for guilty on Wednesday of misprision of a felony and obstruction of the Federal Trade Commission.
Conclusion
All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses, and in most states, governmental entities as well, to notify individuals of security breaches of information involving personally identifiable information (PII).
Sullivan’s efforts to cover up Uber’s 2016 data breach involving data for 57 million Uber customers not only contributed to a record $148 million penalty for Uber for concealing the breach, but it also enabled the hackers to remain unchecked, which led to a data breach at a different company. Failing to disclose data breaches is not only expensive and can impact other companies, but it is also against the law. Joseph Sullivan has been reminded of that – the hard way.
HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.