After the Federal Trade Commission began investigating a massive Uber data breach in 2016, the tech company was hit with another breach that was seemingly just as concerning. Rather than report the second data breach to the FTC and risk further public embarrassment, then-Uber security chief Joe Sullivan consulted with lawyers and then negotiated with the hackers. He allegedly set up a deal under which Uber paid the hackers a $100,000 “bug bounty” to delete the data, then pretended the data breach was part of a planned test of Uber’s security and had the hackers sign a nondisclosure agreement.
Now, Sullivan faces criminal obstruction charges, and The Wall Street Journal reports that his case has raised alarms for tech company security chiefs everywhere, who think Sullivan shouldn’t be taking the fall for Uber. One former security chief from AT&T, Edward Amoroso, told the Journal that “many top security officers believe” that Sullivan “did nothing wrong.”
Amoroso argued that by criminalizing reporting decisions of security chiefs like Sullivan, the US Department of Justice risks setting back the entire security profession. He said the debate was best left up to security communities, not a court, to decide who is responsible. Ars couldn’t immediately reach Amoroso for additional comment.
The DOJ disagrees. Justice Department attorney Andrew Dawson echoed prosecutors in the case who say that their primary issue is with Sullivan failing to communicate the second breach during an active FTC investigation into security failures surrounding Uber’s first big data breach.
“This is a case about coverup, about payoff, and about lies,” Dawson said in court on Wednesday, according to WSJ.
Uber declined to comment to Ars or the WSJ. The DOJ told Ars it cannot comment at this stage of litigation. Ars could not immediately reach Sullivan’s lawyers for additional comment.
Hiding hackers behind Uber’s “bug bounty”
WSJ reported that the hackers behind the second data breach, Brandon Charles Glover and Vasile Mereacre, have already pleaded guilty to hacking and extortion. The court will still decide if Sullivan did anything wrong by taking the steps he did after caving to the hackers’ demands for “high compensation.”
Court records reviewed by the WSJ showed that Sullivan’s team decided to treat the hackers’ extortion of $100,000 to delete 57 million records as “an example of security researchers reporting a bug.”
Uber typically contracts and pays security researchers through a “bug bounty program” to discover vulnerabilities before hackers do. In this case, Uber directed the hackers to join their bug bounty program. Then, they required the hackers to sign NDAs before Uber funneled the $100,000 to them in bitcoin.
Prosecutors said this was meant to disguise the illegal activity so the FTC would only see it as a valid payment through the bug bounty program. Dawson said that Sullivan only took these actions because the legal team told his team that “the matter could be treated as a bug bounty and wasn’t a reportable data breach if the hackers deleted the data and signed a nondisclosure agreement.”
On Wednesday, Sullivan’s attorney David Angeli told the court that even if the court frowned on hiding the data breach payoff by logging it internally as a bug bounty, Sullivan should not face criminal charges because he was not alone in taking these steps.
In the days following the first contact with the hackers, Sullivan consulted with “more than 30 other Uber employees, including then-Chief Executive Travis Kalanick and the company’s legal team” to plan Uber’s response to the incident. Angeli also said Sullivan was never in direct contact with the FTC during its investigation but instead communicated through lawyers.
Ongoing security risks
In 2017, Uber fired Sullivan, but today Sullivan is still a top tech company security chief, currently on leave from his duties as Cloudflare’s chief security officer. (Cloudflare did not provide Ars with comment on the lawsuit.) The Journal reports that a final question looms for courts to consider regarding Sullivan’s seeming neglect as a security chief who allegedly covered up a data breach.
After the hackers were paid off, it was discovered through their plea agreement following conviction that the data was shared with a third person—someone who never made an agreement with Uber to delete the data. Known as “Individual One” in court records, this person represents the ongoing vulnerabilities that can remain when tech companies deal with data breaches without oversight—which was a big part of why the FTC investigated Uber in the first place.
In the final FTC settlement in 2018, Uber agreed to terms that say it “could be subject to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access to consumer information.”
If found guilty, Sullivan faces maximum penalties for obstruction of justice of five years in prison and a $250,000 maximum fine. He has also been charged with concealing a felony, which comes with maximum penalties of three years in prison and possibly another $250,000 maximum fine.