Ex-Uber chief security officer charged, accused of covering up theft of personal info from databases by hackers

Say it ain't Joe?

As Uber's chief security officer, Joe Sullivan broke the law by hushing up the theft of millions of people's details from the app maker's databases by hackers, prosecutors say.

Sullivan, 52, formerly of eBay, Facebook, and PayPal, was today charged with obstruction of justice and misprision – concealing knowledge of a crime from law enforcement – by the US District Attorney for Northern California, an office he briefly worked for back in the day. These come with potentially five and three-year prison sentences, respectively, and a fine of up to $250,000 apiece.

According to the government, the charges [PDF] stem from Sullivan's efforts to cover up the 2016 security breach at Uber in which miscreants siphoned from internal databases the personal information of 57 million passengers and 600,000 drivers, including their driving license details.

The hack was significant enough that Sullivan was "visibly shaken" by the break-in, particularly after Uber had been dealing with the fallout from a 2014 cyber-intrusion, according to FBI special agent Mario Scussel.

"A witness also reported that Sullivan stated in a private conversation that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out," Scussel claimed in court filings this week.

Ransom note

'Don’t be so concerned with your image'... US prosecutor lets rip on Uber for hack cover-up as pair plead guilty


We're told that, rather than informing the Feds and publicly disclosing the security lapse, Sullivan instead sought to hush up the hack by buying the silence of the intruders with $100,000 in Bitcoins, making them sign confidentiality agreements to keep the details under wraps, and playing the whole thing off as a reward for finding a bug in Uber's systems rather than characterizing it more accurately as a data leak.

Had he followed the letter of the law, Sullivan and his team would have at least reported the information theft to the FTC and to privacy regulators in Uber's home state of California. Alerting the FBI to snare the hackers might have been a good idea, too. Instead, we're told, Sullivan informed the FTC no records were stolen when the watchdog asked about the incident, and that it was a simple bug bounty find – a claim that led to the filing of today's criminal charges.

"This misrepresentation concealed the fact that the hackers had, in fact, stolen data, thereby falsely giving the incident the appearance of a typical bug bounty claim rather than a data breach," Scussel wrote. "Sullivan instructed [his] team that knowledge of the breach was to be disclosed outside the security team only on a need-to-know basis and the company was going to treat the incident under its 'bug bounty' program."

The agent claimed Sullivan conversed with then-CEO Travis Kalanick about the brewing scandal, and they agreed to disguise the payment as a bug bounty to the intruders "put this to bed," as Kalanick is quoted as saying.

In 2017, Dara Khosrowshahi took over as chief exec of Uber, following the departure of Kalanick, and when he learned of the true nature of the database infiltration and payoffs, he promptly gave Sullivan and one of his fellow execs their marching orders, and went public with the security bungle. According to court documents, Sullivan had earlier lied to Khosrowshahi about the reason for the payments.

"Concealing information about a felony from law enforcement is a crime,” said Craig Fair, deputy special agent in charge at the FBI.

"While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.

Another facet of this case, according to the government's filings: the two hackers paid off by Uber apparently had help from a third person in obtaining the internal data from Uber's Amazon-hosted S3 buckets. And although the pair of miscreants asked their pal to delete their copy of any purloined information, it's not known if that erasure ever actually happened.

In 2018, Sullivan resurfaced at Cloudflare, again as chief security officer. CEO Matthew Prince, obviously in a rather awkward position, today issued the following statement.

Unfortunately for Sullivan, the matter probably isn't going to be "resolved quickly" any time soon. His first court appearance is yet to be scheduled.

"We continue to cooperate fully with the Department of Justice’s investigation," an Uber spokesperson told The Register. "Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability."

The ride-hailing app maker, meanwhile, has more pressing matters to deal with, as it continues to spar with the state of California over the employment status of its drivers. The software upstart, along with rival service Lyft, just won a last-minute reprieve from an appeals judge, and it looks like service will continue at least until the matter faces a public vote in November. ®

Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022