A former Uber security executive has been charged for his role in the cover-up of a huge 2016 data breach, in which attackers accessed the company’s Amazon Web Services accounts, & stole data associated with 57m passengers & drivers.
Joseph Sullivan allegedly paid off $100K to the hackers responsible for a 2016 data breach, which exposed PII of 57m passengers & drivers.
Obstruction of Justice
The US State Attorney for the Northern District of California has charged California resident Joseph Sullivan, 52, with ‘obstruction of justice’ & ‘misprision of a felony’ in connection with the attempted cover-up, which occurred when Sullivan was Uber’s Chief Security Officer (CSO).
The complaint alleges that Sullivan fraudulently paid off the hackers responsible via Uber’s ‘bug bounty’ program.
Illegal Hush Money
US Attorney David L. Anderson, who is prosecuting the case, castigated Sullivan’s alleged behaviour in a press statement, observing that the state “will not tolerate illegal hush money payments.”
“Silicon Valley is not the Wild West,” he commented. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups.”
Amazon Web Services
In October 2016, 2 hackers gained access to Uber data stored on Amazon Web Services accounts, using Uber software engineer credentials found on GitHub, & stole a database that contained personally identifiable information (PII) associated with 57m Uber users & drivers.
The database included the drivers’ license numbers for about 600,000 people who drove for the online taxi platform.
Ransom E-mail
Afterwards, the attackers effectively sent Sullivan a ransom email demanding a six-figure payment in exchange for silence, says the complaint. Sullivan eventually paid them $100,000 in Bitcoin via Uber’s ‘bug bounty program’, taking steps to ‘conceal, deflect, & mislead’ the Federal Trade Commission (FTC) regarding the breach, says prosecutors.
The Federal charge describes an elaborate cover-up by Sullivan that involved deceiving not just the FTC, but also asking Uber employees to cover-up information about the breach & the pay-out, & also not informing officials about its range.
Uber’s CEO then, Travis Kalanick, was told about the incident & the pay-out, but as yet he has not been charged.
Kalanick resigned in June 2017, after many scandals emerged at the company that he founded.
$20,000
During the 2016 breach, Sullivan already was in contact with the FTC about a 2014 data breach at Uber & had just provided evidence about that hack to authorities, when the 2016 breach occurred, says prosecutors. Uber eventually was fined $20,000 in 2016 by the New York Attorney General for failing to disclose the 2014 breach.
Instead of informing the FTC when he was contacted by the hackers, Sullivan arranged for them to be paid $100,000 in Bitcoin in Dec. 2016 through Uber’s ‘bug bounty program’, even though they never revealed their true names & were clearly not ‘white-hat’ hackers, said prosecutors.
Non-Disclosure Agreements
Sullivan made the hackers sign non-disclosure agreements (NDAs) that included the claim that they did not take or store any data. When an Uber employee asked Sullivan about this, he insisted it remain in the NDA, says the charge. Even after Uber personnel identified 2 of those responsible for the breach, Sullivan made them sign fresh NDAs using their real names, that still included the false information.
Sullivan eventually disclosed the breach to Uber’s new CEO, Dara Khosrowshahi, in Sept. 2017, a month after Khosrowshahi took the company’s reins following Kalanick’s resignation. However, the CSO removed details about the data that had been stolen & said the hackers had been paid ransom only after they were identified by name.
Fired
Sullivan & one of his staff were fired over their failure to disclose this breach, announced when the attack became public in Nov. 2017. Uber has also since strengthened policies around its bug bounty program, to clarify the boundaries between research v. blackmail.
The hackers have been charged in the Northern District of California & pleading guilty to computer fraud conspiracy charges on Oct. 30, 2019 are currently await sentencing.
Failed
They said that they successfully attacked other technology companies after Sullivan failed to inform law enforcement about the Uber hack.
Sullivan is awaiting his 1st court appearance to be scheduled.
Extra details about the case can be found in a video prosecutors posted on YouTube.
https://www.cybernewsgroup.co.uk/virtual-conference-september/