Former Uber CSO Charged With Paying ‘Hush Money’ in 2016 Breach Cover-Up

Uber data breach

Joseph Sullivan allegedly paid off $100K to the hackers responsible for a 2016 data breach, which exposed PII of 57 million passengers and drivers.

A former Uber security executive has been charged for his role in the cover-up of a massive 2016 data breach, in which attackers accessed the company’s Amazon Web Services accounts and stole data associated with 57 million passengers and drivers.

The U.S. State Attorney for the Northern District of California has charged Palo Alto, Calif., resident Joseph Sullivan, 52, with obstruction of justice and misprision of a felony in connection with the attempted cover-up, which occurred when Sullivan was Uber’s chief security officer (CSO). The complaint alleges that Sullivan fraudulently paid off the hackers responsible via Uber’s bug bounty program.

United States Attorney David L. Anderson, who is prosecuting the case, castigated Sullivan’s alleged behavior in a press statement, saying that the state “will not tolerate illegal hush money payments.”

“Silicon Valley is not the Wild West,” he said. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups.”

In October 2016, two hackers gained access to Uber data stored on Amazon Web Services accounts, using Uber software engineer credentials found on GitHub, and stole a database that contained personally identifiable information (PII) associated with 57 million Uber users and drivers. The database included the drivers’ license numbers for about 600,000 people who drove for the online ride-hailing platform.

Following the heist, the attackers effectively sent Sullivan a ransom email demanding a six-figure payment in exchange for his silence, according to the complaint. Sullivan ultimately paid them $100,000 in Bitcoin through Uber’s bug bounty program, taking deliberate steps to conceal, deflect, and mislead the Federal Trade Commission (FTC) about the breach, prosecutors claim. The federal complaint alleges an elaborate cover-up by Sullivan that involved deceiving not just the FTC but also asking Uber employees to cover up information about the breach and the payout, as well as failing to inform officials about its scope.

Uber’s CEO at the time, Travis Kalanick, was informed about the incident and the payout;  at this time he has not been charged in the case. Kalanick resigned his position in June 2017 after numerous scandals rocked his tenure at the company he founded.

At the time of the 2016 breach, Sullivan already was in contact with the FTC about a 2014 data breach at Uber and had just provided testimony about that hack to law enforcement when the 2016 breach occurred, according to prosecutors. Uber eventually was fined $20,000 in 2016 by the New York attorney general for failing to disclose the 2014 breach.

Instead of immediately informing the FTC when he was contacted by the hackers, Sullivan arranged for them to be paid $100,000 in Bitcoin in December 2016 through Uber’s bug bounty program, even though they never revealed their real names and were clearly not white-hat hackers, according to prosecutors.

Sullivan also made the hackers sign non-disclosure agreements (NDAs) that included the claim that they did not take or store any data. When an Uber employee asked Sullivan about the falsity, he insisted it remain in the NDA, according to the complaint. Even after Uber personnel identified two of the individuals responsible for the breach, Sullivan made them sign fresh NDAs using their real names that still included the false information.

Sullivan eventually disclosed the breach to Uber’s new CEO, Dara Khosrowshahi, in September 2017, a month after Khosrowshahi took the company’s reins following Kalanick’s resignation. However, the CSO removed specific details about the data that had been stolen and said the hackers had been paid ransom only after they were identified by name.

Sullivan and one of his deputies eventually lost their jobs over their failure to disclose the breach, something officials announced when they revealed the attack to the public in November 2017. Uber has also since tightened the policies around its bug bounty program since the incident, to clarify the boundaries between research versus blackmail.

The hackers in the case already have been prosecuted in the Northern District of California, pleading guilty to computer fraud conspiracy charges on Oct. 30, 2019; they currently await sentencing. The perpetrators told prosecutors that they successfully attacked other technology companies after Sullivan failed to inform law enforcement about their participation in the Uber hack.

Sullivan is awaiting his first court appearance, which has not yet been scheduled. More details about the case can be found in a video prosecutors posted on YouTube.

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.

Suggested articles