Former Uber CSO charged over 'hush money' payment to hackers

Former Uber CSO Joe Sullivan was charged Thursday for allegedly covering up a massive 2016 data breach at the ride-sharing company that exposed personal data for 57 million customers and drivers.

Sullivan, 52, was charged in U.S. District Court in San Francisco with one count of obstruction of justice and one count of misprision of a felony in connection with Uber's response to the 2016 data breach. David Anderson, U.S. Attorney for the Northern District of California, said in a press conference that Sullivan was behind a "corporate cover-up" designed to conceal the data breach from the Federal Trade Commission (FTC), which was conducting an inquiry into the company over a previous data breach that occurred in 2014.

"Instead of promptly revealing the 2016 hack, Sullivan covered it up by having Uber pay the hackers $100,000 in hush money," Anderson said.

Sullivan, who was not arrested, faces a maximum penalty of eight years in prison. Prior to serving in infosec and legal roles at PayPal, eBay, Facebook and Uber, Sullivan was a former assistant U.S. attorney in the same district where he now faces charges.

According to court documents, federal prosecutors claim Sullivan was "visibly shaken" in the aftermath of the 2016 breach, in which unknown threat actors used Uber credentials exposed on GitHub to access an AWS S3 bucket that contained a database of customer and driver information.

Anderson said Uber was in a "precarious position at that time" because of the existing FTC inquiry related to the 2014 hack. According to court documents, the threat actors contacted Sullivan over email, revealing they had exploited "a major vulnerability" to obtain corporate data from Uber and that they "expected a six-figure payout."

Instead of disclosing yet another data breach to the public and government regulators, Sullivan allegedly opted to conceal the 2016 breach by disguising the $100,000 bitcoin payment to the hackers.

Prosecutors claim Sullivan and Uber's security team identified the threat actors and obtained nondisclosure agreements from them, which falsely described the arrangement as a bug bounty reward. In exchange for the payment, the threat actors agreed not to disclose any information about the breach. Uber arranged for the payment to be made through its bug bounty provider, HackerOne, even though it had never paid out a bounty close to $100,000 before.

Last October, two individuals -- Brandon Charles Glover and Vasile Mereacre -- pleaded guilty to hacking and extortion charges in connection with the 2016 Uber breach and a similar attack on LinkedIn. According to court documents, Glover and Mereacre provided investigators with information about the hack and their subsequent dealings with Sullivan.

Knowledge of the 2016 breach was limited to Sullivan, members of his staff and former Uber CEO Travis Kalanick. According to court documents, the rest of the company's management team had no knowledge of the incident.

After Kalanick stepped down as CEO in 2017, Sullivan briefed newly appointed CEO Dara Khosrowshahi on the incident but concealed the true nature of the data breach, according to prosecutors.

In November 2017, Uber announced that Sullivan and Craig Clark, an Uber attorney who reported to Sullivan, had been fired and publicly disclosed the 2016 data breach. Details of the incident were first reported by Bloomberg.

The allegations against Sullivan rocked the infosec community and raised unsettling questions for CISOs and security managers about disclosures of cyberattacks and breaches.

Despite the controversy of the alleged cover-up, Cloudflare hired Sullivan as its new CSO in May 2018. SearchSecurity contacted Cloudflare for comment regarding the charges against its CSO, and the company referred to a statement from CEO Matthew Prince on Twitter.

Sad to see Joe Sullivan allegations. Joe's had a distinguished career as a US Attorney & exec at eBay, PayPal, Facebook, Uber & Cloudflare. Anytime an opportunity arose, Joe's advocated for us to be as transparent as possible. I hope this is resolved quickly for Joe & his family.

— Matthew Prince (@eastdakota) August 20, 2020

In his press conference, Anderson said "Silicon Valley is not the Wild West" and emphasized that companies must properly disclose breaches and cybersecurity incidents.

"We expect prompt reporting of criminal conduct. We expect cooperation with our investigations," Anderson said. "We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments."