Uber’s former security chief charged in data breach cover-up

Joseph Sullivan, who left Uber in 2017, was charged with obstruction of justice and misprision (concealment) of a felony for allegedly paying $100,000 in 2016 to hackers who successfully breached the ridesharing company’s data on 57 million of its users and drivers. The database included the license numbers for approximately 600,000 people who drove for Uber, federal prosecutors said.

Sullivan was hired as chief security officer for cyber-security firm Cloudflare in 2018, a position he still holds, according to his profile on LinkedIn.

Cloudflare’s CEO, Matthew Prince, tweeted that he was “sad to see” the allegations against Sullivan and “hope[s] this is resolved quickly.”

Federal prosecutors allege Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission (FTC) about the breach,” according to the Department of Justice (DOJ) press release Thursday announcing the charges.

A statement released by a spokesman for Sullivan insisted the charges against him have “no merit.” Sullivan was part of a team at Uber that tracked down the hackers, and many people at the company were part of the decisions about what to do about the data breach, the statement said.

“From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department – and not Mr. Sullivan or his group – was responsible for deciding whether, and to whom, the matter should be disclosed,” the statement said.

Many other companies—Carnival Corp. is a recent example—have experienced ransomware attacks on their data. It’s unclear, however, whether hackers initially demanded payment in the 2016 data breach at Uber, which would be a typical ransomware attack, or were offered money after the breach happened.

The alleged cover-up at Uber began during a 2016 FTC investigation into a 2014 data breach. While the FTC investigation was underway, Uber was hacked again. Instead of reporting the fresh breach to the FTC, Sullivan conspired to cover it up, federal prosecutors allege.

“Sullivan sought to pay the hackers off by funneling the payoff through a bug bounty program—a program in which a third party intermediary arranges payment to so-called ‘white hat’ hackers who point out security issues but have not actually compromised data,” the DOJ said. “Uber paid the hackers $100,000 in BitCoin in December 2016, despite the fact that the hackers refused to provide their true names.”

The use of “bug hunters” or “white hat” hackers is another tool companies can use to probe for weaknesses in their firm’s cyber-defenses.

Sullivan had the hackers sign non-disclosure agreements saying they did not take or store any data, a representation Sullivan knew was not true, prosecutors said. Uber later identified the true identities of the hackers and had them sign new non-disclosure agreements with their real names.

Prosecutors also allege that in 2017, Sullivan hid crucial details of the data breach from Uber’s new CEO, deleting information in an email brief about the nature of the data taken and the timeline of the payments and non-disclosure agreements.

The two hackers identified by Uber were prosecuted in the Northern District of California, pled guilty in 2019, and are awaiting sentencing. Prosecutors say the hackers were emboldened to target other tech companies after Uber failed to alert law enforcement about its 2016 data breach.