Robyn Beck / AFP) (Photograph by way of ROBYN BECK/AFP by the use of Getty Pictures
Federal prosecutors have charged former Uber safety leader Joe Sullivan with obstruction of justice for hiding a 2016 knowledge breach from Federal Industry Fee investigators. Sullivan is now the manager safety officer at Cloudflare.
In an emailed observation, a spokesman for Sullivan stated the federal government’s fees have “no advantage.”
“From the outset, Sullivan and his crew collaborated carefully with felony, communications and different related groups at Uber, in response to the corporate’s written insurance policies,” the spokesman wrote. “The ones insurance policies made transparent that Uber’s felony division—and no longer Mr. Sullivan or his staff—used to be liable for deciding whether or not, and to whom, the topic must be disclosed.”
The legal criticism, filed Thursday, means that Uber’s then-CEO Travis Kalanick used to be acutely aware of the breach and Sullivan’s efforts to hide it up. It additionally concedes that Uber’s basic suggest will have been acutely aware of the breach by way of April 2017. Nevertheless it argues that Sullivan saved others taken with Uber’s FTC reaction at the hours of darkness in regards to the incident.
Two breaches, two years aside
In 2014, Uber suffered an information breach after hackers discovered cloud garage credentials hard-coded in Uber supply code that an Uber engineer unintentionally printed on GitHub. The credentials equipped get admission to to reside knowledge saved on Amazon’s S3 cloud garage carrier. The hackers received get admission to to names and driving force’s license numbers for round 100,000 Uber drivers, in addition to a way smaller collection of checking account and Social Safety numbers.
The breach prompted an investigation by way of the Federal Industry Fee. In November 2016, the FTC interviewed Sullivan. He had joined Uber in 2015 after 5 years as Fb’s leader safety officer (we interviewed him in 2013 and 2014), so he hadn’t been round all through the 2014 breach. However as Uber’s new safety leader, it used to be his process to provide an explanation for the placement to the FTC’s investigators.
In keeping with the legal criticism, Sullivan “elaborated that it used to be not unusual on the time to jot down get admission to IDs and different secrets and techniques without delay into code when that code had to name for info from any other carrier.”
Ten days after his testimony, Sullivan realized that Uber had suffered a 2d breach that used to be a close to replay of the primary one. This time, a hacker reportedly stole credentials to achieve get admission to to Uber’s personal code on GitHub. And that code nonetheless had some hard-coded Amazon S3 credentials. The hackers received get admission to to round 600,000 names and drivers’ license numbers.
Uber paid the hackers to stick quiet
Uber’s safety crew in an instant known that it will be embarrassing to announce a 2d breach whilst the FTC used to be nonetheless investigating the primary one. “Data is terribly delicate and we want to stay this tightly managed,” one inside file stated.
So Uber made up our minds to regard the breach as a part of its trojan horse bounty program. Below that program, Uber can pay white-hat hackers for details about vulnerabilities in its instrument. Ordinarily, bills are not up to $10,000 and hackers don’t seem to be meant to milk vulnerabilities to get admission to person knowledge. And in trojan horse bounty circumstances, hackers are allowed to publicly expose a vulnerability as soon as Uber has fastened the vulnerability.
However Uber’s legal professionals wrote a unique contract for those hackers. In change for an strangely massive $100,000 cost, the hackers signed a strict non-disclosure settlement. The deal requested hackers to state—falsely—that that they had no longer accessed any person knowledge.
In keeping with prosecutors, Kalanick used to be acutely aware of this plan. At 1am on November 15, Sullivan texted Kalanick. “I’ve one thing delicate I might love to replace you on when you’ve got a minute,” he wrote.
Ten mins later—and possibly after a telephone dialog—Kalanick texted Sullivan again. “Wish to get walk in the park of what he has, sensitivity/publicity of it and self belief that he can in point of fact deal with this as a 🐛 bounty state of affairs… sources can also be versatile so as to put this to mattress however we want to file this very tightly.”
It used to be a complete 12 months sooner than the FTC realized in regards to the 2016 breach. Kalanick used to be pressured out as Uber’s CEO in June 2017 and changed by way of Dara Khosrowshahi a few months later. When Khosrowshahi realized in regards to the state of affairs, he fired Sullivan and reported the brand new breach to the FTC. The FTC withdrew a tentative agreement settlement and the investigation dragged on for any other 12 months sooner than the case used to be in the end settled in 2018.
The feds say Uber’s cover-up will have avoided legislation enforcement from bringing the hackers to justice previous. Within the 12 months between the breach and Uber’s disclosure of it, the pair used an identical ways to hack a number of different massive corporations. If Uber had reported the breach promptly, it is conceivable that the feds would have stuck the hackers accountable a lot previous and stored another corporations from the similar destiny.
Who knew what, and when?
The federal government’s criticism does not accuse Sullivan of without delay mendacity to the FTC. Nevertheless it portrays Sullivan because the mastermind of Uber’s efforts to stay the FTC at the hours of darkness.
Sullivan’s press observation means that he’s going to combat the fees by way of arguing that he wasn’t in my opinion liable for Uber’s dealing with of the placement. The federal government’s temporary recognizes that Kalanick additionally knew the breach took place and licensed an strangely massive cost to the hackers to stay it below wraps. However the executive claims that few others at Uber knew about it.
For instance, Sullivan used to be consulted on a draft of a letter Uber despatched to the FTC in April 2017. It touted Uber’s document of cooperation with the company, together with its apply of voluntarily filing related data to the company. In reaction, Sullivan wrote, “Letter seems okay to me.”
The overall model of that letter touted the brand new security features Uber had put into position because the 2014 breach, together with “intensive further protections for the information it shops [Uber] shops within the S3 datastore” and “company-wide enhancements in credential coverage and control.”
FBI agent Mario Scussel, the writer of the federal government criticism, wrote that “in line with my investigation, I don’t consider that any of the people liable for drafting the April 19 letter to the FTC have been made acutely aware of the 2016 knowledge breach.” However in a footnote, he hedges this extensive observation, acknowledging that Uber’s basic suggest will have identified the breach took place. He added, “I’ve observed no proof that the overall suggest used to be acutely aware of the main points, similar to the character of the assault or the PII that used to be stolen.”
