Federal prosecutors have billed former Uber safety main Joe Sullivan with obstruction of justice for hiding a 2016 data breach from Federal Trade Commission investigators. Sullivan is now the chief stability officer at Cloudflare.
In an emailed statement, a spokesman for Sullivan reported the government’s rates have “no merit.”
“From the outset, Sullivan and his staff collaborated intently with lawful, communications and other relevant teams at Uber, in accordance with the company’s composed guidelines,” the spokesman wrote. “These procedures manufactured clear that Uber’s authorized department—and not Mr. Sullivan or his group—was dependable for deciding whether or not, and to whom, the issue really should be disclosed.”
The legal criticism, submitted Thursday, indicates that Uber’s then-CEO Travis Kalanick was mindful of the breach and Sullivan’s initiatives to cover it up. It also concedes that Uber’s standard counsel may well have been aware of the breach by April 2017. But it argues that Sullivan held other people involved in Uber’s FTC response in the darkish about the incident.
Two breaches, two many years aside
In 2014, Uber endured a details breach soon after hackers located cloud storage credentials hard-coded in Uber source code that an Uber engineer unintentionally printed on GitHub. The qualifications offered entry to are living facts stored on Amazon’s S3 cloud storage service. The hackers obtained access to names and driver’s license numbers for all-around 100,000 Uber motorists, as well as a much lesser selection of lender account and Social Security quantities.
The breach activated an investigation by the Federal Trade Commission. In November 2016, the FTC interviewed Sullivan. He experienced joined Uber in 2015 immediately after five several years as Facebook’s chief stability officer (we interviewed him in 2013 and 2014), so he hadn’t been close to in the course of the 2014 breach. But as Uber’s new stability chief, it was his job to demonstrate the problem to the FTC’s investigators.
According to the prison complaint, Sullivan “elaborated that it was widespread at the time to write obtain IDs and other tricks right into code when that code wanted to get in touch with for details from another support.”
10 times immediately after his testimony, Sullivan uncovered that Uber experienced experienced a second breach that was a near replay of the very first one particular. This time, a hacker reportedly stole qualifications to gain access to Uber’s personal code on GitHub. And that code still had some difficult-coded Amazon S3 credentials. The hackers obtained entry to all over 600,000 names and drivers’ license numbers.
Uber compensated the hackers to stay peaceful
Uber’s protection crew quickly identified that it would be uncomfortable to announce a 2nd breach while the FTC was still investigating the 1st just one. “Information and facts is really delicate and we will need to retain this tightly controlled,” just one inner doc stated.
So Uber determined to deal with the breach as aspect of its bug bounty plan. Less than that software, Uber pays white-hat hackers for details about vulnerabilities in its software program. Ordinarily, payments are a lot less than $10,000 and hackers aren’t meant to exploit vulnerabilities to access consumer data. And in bug bounty instances, hackers are permitted to publicly disclose a vulnerability the moment Uber has set the vulnerability.
But Uber’s legal professionals wrote a special deal for these hackers. In exchange for an unusually big $100,000 payment, the hackers signed a stringent non-disclosure agreement. The deal questioned hackers to state—falsely—that they had not accessed any user knowledge.
According to prosecutors, Kalanick was conscious of this approach. At 1am on November 15, Sullivan texted Kalanick. “I have a thing sensitive I might like to update you on if you have a moment,” he wrote.
Ten minutes later—and presumably following a cell phone conversation—Kalanick texted Sullivan again. “Need to have to get certainty of what he has, sensitivity/exposure of it and self-confidence that he can actually deal with this as a 🐛 bounty condition… sources can be flexible in order to place this to mattress but we require to document this incredibly tightly.”
It was a whole yr ahead of the FTC discovered about the 2016 breach. Kalanick was pressured out as Uber’s CEO in June 2017 and changed by Dara Khosrowshahi a pair of months later on. When Khosrowshahi figured out about the problem, he fired Sullivan and documented the new breach to the FTC. The FTC withdrew a tentative settlement arrangement and the investigation dragged on for one more yr just before the scenario was finally settled in 2018.
The feds say Uber’s cover-up might have prevented law enforcement from bringing the hackers to justice earlier. In the year among the breach and Uber’s disclosure of it, the pair utilised identical procedures to hack many other massive organizations. If Uber had claimed the breach promptly, it is attainable that the feds would have caught the hackers liable a great deal previously and saved some other providers from the very same fate.
Who understood what, and when?
The government’s criticism doesn’t accuse Sullivan of instantly lying to the FTC. But it portrays Sullivan as the mastermind of Uber’s initiatives to retain the FTC in the darkish.
Sullivan’s push statement suggests that he will fight the expenses by arguing that he wasn’t personally accountable for Uber’s handling of the scenario. The government’s temporary acknowledges that Kalanick also understood the breach transpired and authorized an unusually big payment to the hackers to keep it beneath wraps. But the govt statements that number of many others at Uber understood about it.
For instance, Sullivan was consulted on a draft of a letter Uber sent to the FTC in April 2017. It touted Uber’s record of cooperation with the agency, which include its observe of voluntarily distributing applicable information and facts to the company. In response, Sullivan wrote, “Letter looks ok to me.”
The closing model of that letter touted the new safety measures Uber experienced set into place due to the fact the 2014 breach, like “extensive added protections for the knowledge it merchants [Uber] suppliers in the S3 datastore” and “firm-broad improvements in credential safety and management.”
FBI agent Mario Scussel, the writer of the government grievance, wrote that “primarily based on my investigation, I do not consider that any of the individuals dependable for drafting the April 19 letter to the FTC experienced been designed conscious of the 2016 data breach.” But in a footnote, he hedges this wide statement, acknowledging that Uber’s standard counsel may possibly have identified the breach happened. He additional, “I have observed no proof that the basic counsel was knowledgeable of the information, such as the mother nature of the assault or the PII that was stolen.”