CSO Paid Hackers $100K - Hide Breach From FTC - Deceived New Mgt. Team
"Concealing information about a felony from law enforcement is a crime"
"Former Chief Security Officer For Uber Charged With Obstruction Of Justice"
"Silicon Valley is not the Wild
West ... We will not tolerate illegal hush money payments."
"We will not tolerate corporate cover-ups"
SAN
FRANCISCO – A criminal complaint was filed today in federal court charging
Joseph Sullivan with obstruction of justice and misprision of a felony in
connection with the attempted cover-up of the 2016 hack of Uber Technologies
Incorporated, announced United States Attorney David L. Anderson and FBI
Deputy Special Agent in Charge Craig D. Fair. Additional facts regarding the
investigation and charges can be found
here.
According to the complaint, between April 2015 and November 2017, Sullivan, 52,
of Palo Alto, Calif., served as Uber’s Chief Security Officer. During this time,
two hackers contacted Sullivan by email and demanded a six-figure payment in
exchange for silence. The hackers ultimately revealed that they had accessed and
downloaded an Uber database containing personally identifying information, or
PII, associated with approximately 57 million Uber users and drivers. The
database included the drivers’ license numbers for approximately 600,000 people
who drove for Uber. The criminal complaint alleges that Sullivan took
deliberate steps to conceal, deflect, and mislead the Federal Trade Commission
about the breach.
“Silicon Valley is not the Wild West,” said U.S. Attorney Anderson. “We
expect good corporate citizenship. We expect prompt reporting of criminal
conduct. We expect cooperation with our investigations. We will not tolerate
corporate cover-ups. We will not tolerate illegal hush money payments.”
“Concealing information about a felony from law enforcement is a crime,” said
Deputy Special Agent in Charge Fair. “While this case is an extreme example of a
prolonged attempt to subvert law enforcement, we hope companies stand up and
take notice. Do not help criminal hackers cover their tracks. Do not make the
problem worse for your customers, and do not cover up criminal attempts to steal
people’s personal data.”
The
complaint describes how Sullivan played a pivotal role in responding to FTC
inquiries about Uber’s cyber security. Uber had been hacked in September of 2014
and the FTC was gathering information about that 2014 breach. The FTC demanded
responses to written questions and required Uber to designate an officer to
provide testimony under oath on a variety of topics. Sullivan assisted in the
preparation of Uber’s responses to the written questions and was designated to
provide sworn testimony on a variety of issues. On November 14, 2016,
approximately 10 days after providing his testimony to the FTC, Sullivan
received an email from a hacker informing him that Uber had been breached again.
Sullivan’s team was able to confirm the breach within 24 hours of his receipt of
the email.
Rather than report the 2016 breach, Sullivan allegedly took deliberate
steps to prevent knowledge of the breach from reaching the FTC. For example,
Sullivan sought to pay the hackers off by funneling the payoff through
a bug bounty program—a program in which a third party intermediary arranges
payment to so-called “white hat” hackers who point out security issues but have
not actually compromised data. Uber paid the hackers $100,000 in BitCoin in
December 2016, despite the fact that the hackers refused to provide their
true names. In addition, Sullivan sought to have the hackers sign non-disclosure
agreements. The agreements contained a false representation that the hackers did
not take or store any data. When an Uber employee asked Sullivan about this
false promise, Sullivan insisted that the language stay in the non-disclosure
agreements. Moreover, after Uber personnel were able to identify two of the
individuals responsible for the breach, Sullivan arranged for the hackers to
sign fresh copies of the non-disclosure agreements in their true names. The new
agreements retained the false condition that no data had been obtained.
Uber’s new management ultimately discovered the truth and disclosed the breach
publicly, and to the FTC, in November 2017. Since that time, Uber has responded
to additional government inquiries.
The criminal complaint also alleges Sullivan deceived Uber’s new management team
about the 2016 breach. Specifically, Sullivan failed to provide the new
management team with critical details about the breach. In August of 2017, Uber
named a new Chief Executive Officer. In September 2017, Sullivan briefed Uber’s
new CEO about the 2016 incident by email. Sullivan asked his team to prepare a
summary of the incident, but after he received their draft summary, he edited
it. His edits removed details about the data that the hackers had taken and
falsely stated that payment had been made only after the hackers had been
identified.
The two hackers identified by Uber were prosecuted in the Northern District of
California. Both pleaded guilty on October 30, 2019, to computer fraud
conspiracy charges and now await sentencing. The criminal complaint makes clear
that “both [hackers] chose to target and successfully hack other technology
companies and their users’ data” after Sullivan failed to bring the Uber data
breach to the attention of law enforcement.
In sum, Sullivan is charged with obstruction of justice, in violation of 18
U.S.C. § 1505; and misprision of a felony, in violation of 18 U.S.C. § 4.
Sullivan’s initial federal court appearance has not yet been scheduled.
A complaint merely alleges that crimes have been committed, and all defendants
are presumed innocent until proven guilty beyond a reasonable doubt. If
convicted, Sullivan faces a maximum statutory penalty of five years in prison
for the obstruction charge and a maximum three years on prison for the
misprision charge. However, any sentence following conviction would be imposed
by the court after consideration of the U.S. Sentencing Guidelines and the
federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.
The case is being prosecuted by the Corporate Fraud Strike Force of the U.S.
Attorney’s Office. The prosecution is the result of an investigation by the FBI.
Originally posted on
justice.gov