On August 20, 2020, Uber’s former Chief Security Officer, Joe Sullivan, was charged by the U.S. Department of Justice (DOJ) with obstruction of justice and concealing a felony for allegedly trying to cover up a 2016 cyberattack that exposed the personal data of 57 million users and drivers and misleading the Federal Trade Commission (FTC) about the 2016 incident. Based on the criminal complaint filed against Sullivan, individuals and corporations can learn valuable lessons in responding to cyber intrusions by considering what Sullivan allegedly did wrong and what corporate officers should do when responding to a cyberattack. Below is an overview of Sullivan’s federal indictment and some key takeaways for consideration.
Sullivan is accused of lying to the FTC about the 2016 incident, which included a $100,000 payoff he allegedly arranged with two hackers that, per a witness, falsely stated they did not obtain or steal Uber's data pursuant to a non-disclosure agreement, according to the DOJ. As per the criminal complaint, "[t]his misrepresentation concealed the fact that the hackers had, in fact, stolen data, thereby falsely giving the incident the appearance of a typical bug bounty claim rather than a data breach.”
Uber initially referred to the payout internally as part of its "bug bounty" program, which incentivizes cybersecurity experts to report security flaws to the company. But the $100,000 sum was 10 times the program's award cap at the time, and an Uber executive later admitted to Congress that the payoff was akin to extortion. The payment and alleged cover-up came at the same time Uber was negotiating a settlement with the FTC over a similar 2014 incident in which hackers exfiltrated user data from one of Uber's cloud storage sites, according to the criminal complaint. Both the 2014 breach and the 2016 breach used the same method of access to the cloud storage sites through credentials stored in clear text on a hosting service platform.
The charges stem from the fact that Sullivan allegedly intended to impede the FTC’s then-current investigation into the 2014 breach by not disclosing the new 2016 breach, including in supplemental interrogatories issued by the FTC after the breach that specifically required the disclosure of information about any breach. Further, five months after the 2016 breach, Sullivan reviewed a letter Uber planned to send to the FTC requesting that the FTC close its investigation into Uber. The letter claimed, among other things, that “the data security incidents at issue reflect no misdirected priorities, no failure to appreciate the risks, and no lack of security knowledge or care” and that Uber had implemented additional security measures regarding “credential protection and management and other aspects of data security.” This charge does not suggest that Sullivan would have had a duty to notify authorities had the 2014 breach investigation not been underway.
Business records generated in the course of the response to the breach were used by the DOJ to show that Sullivan had allegedly instructed his team to keep knowledge of the 2016 breach tightly controlled. According to the criminal complaint, a witness also reported that Sullivan stated in a private conversation at the time "that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out.” In addition, Sullivan’s effort to cover up the issue were allegedly logged in an issue tracking system known as the “Preacher Central Tracker,” which included information, admitting that the access credentials had not been changed for years, and internal communications indicating Sullivan’s knowledge of the breach and attempt to keep it confidential.
In addition, the indictment alleges that Sullivan misled Uber's new management team that took over in 2017 by removing certain details from a summary prepared by his team that would have illustrated the true scope of the breach prior to handing over the summary to management. One such omission was that the hackers had actually stolen data. Uber announced the data breach in November 2017 and stated that Sullivan had been fired for not disclosing the incident sooner.
The charges against Sullivan come after the hackers had plead guilty to conspiracy to commit extortion charges for their roles in the 2016 breach. In their plea agreements, the hackers admitted targeting and successfully hacking other companies after they extorted Uber for the $100,000 and Uber failed to bring the data 2016 breach to the attention of law enforcement. The cover-up allegedly prevented law enforcement from apprehending the hackers, which may have prevented the hacking of additional technology companies.
Sullivan faces up to five years in prison if convicted on the obstruction charge, and up to three years in prison if convicted on the concealing a felony charge.
The DOJ’s complaint in this case sheds light on the degree of transparency and cooperation expected by the government, or at the very least what it will not tolerate. The following are preliminary takeaways and issues for consideration.