A criminal complaint filed last Thursday in federal court charges Uber’s former Chief Security Officer (CSO), Joseph Sullivan, with multiple crimes related to his alleged attempt to cover-up a 2016 data breach that compromised personally identifying information (PII) associated with approximately 57-million people, including both Uber riders and drivers; prosecutors allege that Sullivan took deliberate steps to mislead the Federal Trade Commission (FTC) about the breach.
Sullivan, who served as the ride-share giant’s CSO from April 2015 through November 2017, provided testimony under oath to the Federal Trade Commission on a variety of topics related to Uber’s information security practices – information that the FTC sought in the aftermath of a 2014 data breach at Uber.
According to the charges leveled against Sullivan, in November of 2016, less than 2 weeks after providing his testimony to the FTC, Sullivan received an email from a hacker informing the CSO that Uber had been breached again – a fact that Sullivan’s team was able to quickly confirm.
Prosecutors allege that rather than report the new breach, Sullivan took deliberate steps to prevent the FTC from finding out about it – including, allegedly, attempting to pay the anonymous hackers “hush money” by funneling funds to them through a bug bounty program (a program in which a third-party intermediary arranges for a company to compensate people who discover, but who do not actually exploit, vulnerabilities in the firm’s products); in fact, according to the indictments, Uber paid the hackers $100,000 in Bitcoin in December of 2016.
In addition, Sullivan allegedly both sought to have the hackers sign non-disclosure agreements (NDAs) that contained a false representation that the hackers did not take or store any Uber data, and, deceived others at Uber – including the new CEO that the firm hired in August of 2017 – about significant aspects the breach.
Uber’s leadership ultimately uncovered the truth, and disclosed the breach both to the FTC, and to the public, in November of 2017; Sullivan was promptly fired.
Sullivan, who was CSO at Facebook prior to joining Uber, and who was appointed by President Obama to the Commission on Enhancing National Cybersecurity, is currently serving as CSO at Cloudflare.
CSOs and other information-security professionals should take notice: Attempting to cover up a data breach – which used to be a common practice across much of the industry – will not be tolerated anymore, and can lead to serious criminal charges.
As Deputy Special Agent in Charge, Craig D. Fair, put it “Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”