Former Uber CSO charged for 2016 hack cover-up

sucks-uber.jpg

Uber’s former chief security officer was charged on Thursday for covering up the company’s 2016 security breach, during which hackers stole the personal details of 57 million Uber customers and the details of 600,000 Uber drivers.

Prosecutors in Northern California are charging Joe Sullivan, 52, who served as Uber CSO between April 2015 and November 2017, when Uber changed its CEO and most of its management team.

According to court documents, DOJ officials claim that Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the [2016] breach.”

Speaking at a press conference today (see video below), US Attorney for the Northern District of California David Anderson said that by hiding the Uber hack from authorities and management, Sullivan indirectly helped the hackers breach other companies.

“This office charged the hackers and last year, and they pleaded guilty,” Anderson said. “In their guilty pleas, the hackers admitted to hacking other companies using similar techniques to those used in the Uber hack.

“If Sullivan had promptly reported the Uber hack those other hacks of those other companies may have been prevented,” Anderson said.

[embedded content]

How the 2016 Uber hack unfolded

But to understand what happened behind the scenes, we must combine details put forward by the DOJ today and court documents from the DOJ’s case against the Uber hackers — namely, Brandon Glover, 26, an American from Florida, and Vasile Mereacre, 23, a Canadian from Toronto.

Per these two sets of documents, the Uber hack took place after the two hackers used a custom-built tool to gain access to GitHub accounts.

Glover and Mereacre specifically targeted the accounts of employees working for large corporations, gained access to their GitHub profiles, and then searched through the employee’s projects for sensitive passwords and credentials.

This is how the two hackers got their hands on Amazon Web Services (AWS) credentials for Uber’s backend infrastructure, where they found and subsequentially downloaded details for 57 million Uber customers and 600,000 Uber drivers.

Per court documents, the two hackers reached out to Sullivan via email, claiming they “found a major vulnerability,” provided a sample of the stolen data, and then requested a $100,000 payment in bitcoin to reveal the company’s security hole.

Court documents unsealed today reveal that at the time Sullivan received this email, on November 14, Sullivan had just submitted a written testimony to the FTC about a 2014 security breach, during which a hacker stole the names and drivers licenses of about 50,000 drivers.

Prosecutors say that Sullivan and his security team confirmed the validity of the hackers’ sample data within 24 hours of receiving the email, but instead of notifying the FTC of this new security breach, Sullivan agreed to pay the hackers’ “hush money.”

Court documents filed today show conversations Sullivan had with then-Uber CEO Travis Kalanick about the security breach, with Kalanick giving the go-ahead for the hackers to receive their ransom in the form of a bug bounty program payout.

uber-conversations.png

uber-conversations.png

Investigators say that Sullivan proceeded with this plan and arranged for the hackers to sign a non-disclosure agreement even without knowing their real names. This initial contract was signed, and the bounty paid in December 2016 via the company’s HackerOne bug bounty program.

However, US prosecutors say that when Uber’s security team tracked down and identified the two hackers, instead of notifying authorities, Sullivan had the two hackers re-sign their confidentiality agreement in their true names.

Furthermore, the DOJ complaint claims that Sullivan insisted on the hackers signing a contract that claimed they had not taken any of Uber’s data, knowing this statement was false.

“When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements,” the DOJ said today in a press release.

New management comes in, exposes hack

Things then calmed down, but only until August 2017, when Uber’s board ousted Kalanick and replaced him with Dara Khosrowshahi.

The DOJ says that Sullivan notified the new management team about the 2016 security incident, but continued to cover up the hack.

“Specifically, Sullivan failed to provide the new management team with critical details about the breach,” the DOJ said. “In September 2017, Sullivan briefed Uber’s new CEO about the 2016 incident by email. Sullivan asked his team to prepare a summary of the incident, but after he received their draft summary, he edited it. His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.”

But despite the issue being resolved, the new Uber CEO disclosed the breach to the public in November 2017. This disclosure was followed by an FBI investigation, which quickly identified and arrested the hackers, both of which pleaded guilty in October 2019.

As the FBI investigated and gained access to the company’s internal communications, they also started to understand Sullivan’s role in covering up the 2016 breach.

“Silicon Valley is not the Wild West,” said Anderson today. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

Sullivan was charged today with obstruction of justice and misprision of a felony in connection to the 2016 hack and subsequent cover-up. If found guilty on both charges, Sullivan risks maximum prison sentences of five and three years, respectively.

As NPR pointed out today, before serving as a CSO at Uber, Sullivan had previously spent two years prosecuting computer hacking crimes as an assistant US Attorney in the very same office that charged him today.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

GamStop
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
Cryptocurrency
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
Ethereum
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin36,801 0.79 % 7.32 % 13.00 %
Ethereum2,436.9 0.91 % 7.25 % 24.24 %
Tether1.000 0.48 % 0.18 % 0.03 %
Binance Coin373.14 0.40 % 6.12 % 21.67 %
USD Coin1.000 0.07 % 0.09 % 0.19 %
Cardano1.040 1.28 % 2.88 % 34.52 %
Solana93.58 0.72 % 9.16 % 33.18 %
XRP0.6076 0.76 % 4.41 % 20.55 %
Terra64.45 0.65 % 0.66 % 16.64 %
Polkadot18.59 0.75 % 9.68 % 27.80 %

bitcoin
Bitcoin (BTC) $ 36,735.00
ethereum
Ethereum (ETH) $ 2,431.86
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 373.24
usd-coin
USD Coin (USDC) $ 1.00
cardano
Cardano (ADA) $ 1.04
solana
Solana (SOL) $ 93.42
xrp
XRP (XRP) $ 0.605657
terra-luna
Terra (LUNA) $ 64.09
polkadot
Polkadot (DOT) $ 18.58