Tech

Former Uber security chief faces criminal charges for hiding 2016 breach

202Views
EnlargeRobyn Beck / AFP) (Photo by ROBYN BECK/AFP via Getty Images

Federal prosecutors have charged former Uber security chief Joe Sullivan with obstruction of justice for hiding a 2016 data breach from Federal Trade Commission investigators. Sullivan is now the chief security officer at Cloudflare.

In an emailed statement, a spokesman for Sullivan said the government's charges have "no merit."

"From the outset, Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the companys written policies," the spokesman wrote. "Those policies made clear that Ubers legal department—and not Mr. Sullivan or his group—was responsible for deciding whether, and to whom, the matter should be disclosed."

The criminal complaint, filed Thursday, suggests that Uber's then-CEO Travis Kalanick was aware of the breach and Sullivan's efforts to cover it up. It also concedes that Uber's general counsel may have been aware of the breach by April 2017. But it argues that Sullivan kept others involved in Uber's FTC response in the dark about the incident.

Two breaches, two years apart

In 2014, Uber suffered a data breach after hackers found cloud storage credentials hard-coded in Uber source code that an Uber engineer accidentally published on GitHub. The credentials provided access to live data stored on Amazon's S3 cloud storage service. The hackers gained access to names and driver's license numbers for around 100,000 Uber drivers, as well as a much smaller number of bank account and Social Security numbers.

The breach triggered an investigation by the Federal Trade Commission. In November 2016, the FTC interviewed Sullivan. He had joined Uber in 2015 after five years as Facebook's chief security officer (we interviewed him in 2013 and 2014), so he hadn't been around during the 2014 breach. But as Uber's new security chief, it was his job to explain the situation to the FTC's investigators.

According to the criminal complaint, Sullivan "elaborated that it was common at the time to write access IDs and other secrets directly into code when that code needed to call for information from another service."

Ten days after his testimony, Sullivan learned that Uber had suffered a second breach that was a near replay of the first one. This time, a hacker reportedly stole credentials to gain access to Uber's private code on GitHub. And that code still had some hard-coded Amazon S3 credentials. The hackers gained access to around 600,000 names and drivers' license numbers.

Uber paid the hackers to stay quiet

Uber's security team immediately recognized that it would be embarrassing to announce a second breach while the FTC was still investigating the first one. "Information is extremely sensitive and we need to keep this tightly controlled," one internal document said.

So Uber decided to treat the breach as part of its bug bounty program. Under that program, Uber pays white-hat hackers for information about vulnerabilities in its software. Ordinarily, payments are less than $10,000 and hackers aren't supposed to exploit vulnerabilities to access user data. And in bug bounty cases, hackers are allowed to publicly disclose a vulnerability once Uber has fixed the vulnerability.

But Uber's lawyers wrote a special contract for these hackers. In exchange for an unusually large $100,000 payment, the hackers signed a strict non-disclosure agreement. The deal asked hackers to state—falsely—that they had not accessed any user data.

According to prosecutors, Kalanick was aware of this plan. At 1am on November 15, Sullivan texted Kalanick. "I have something sensitive I'd like to update you on if you have a minute," he wrote.

Ten minutes later—and presumably after a phone conversation—Kalanick texted Sullivan back. "Need to get certainty of what he has, sensitivity/exposure of it and confidence that he can truly treat this as a ? bounty situation… resources can be flexible in order to put this to bed but we need to document this very tightly."

It was a full year before the FTC learned about the 2016 breach. Kalanick was forced out as Uber's CEO in June 2017 and replaced by Dara Khosrowshahi a couple of months later. When Khosrowshahi learned about the situation, he fired Sullivan and reported the new breach to the FTC. The FTC withdrew a tentative settlement agreement and the investigation dragged on for another year before the case was finally settled in 2018.

The feds say Uber's cover-up may have prevented law enforcement from brRead More – Source