Joseph Sullivan concealed a hack that exposed the data of 57 million customers. No security officer had ever been charged with obstructing justice and misrepresenting a crime before.
Joseph Sullivan, former Uber chief security officer, was accused of obstruction of justice for concealing a hack that compromised the data of 57 million Uber users 4 years ago.
Sullivan paid the attackers USD 100,000 worth of Bitcoin, hid the data breach security institutions, and told his team not to tell anyone about the event. The case seems to establish a precedent as no security officer has ever been charged with concealing a hack before.
On August 20th, the US Department of Justice stated that Sullivan is charged with obstructing justice since he did not report a serious crime. According to the document, the executive took “deliberate measures” to prevent the Federal Trade Commission (FTC) from learning about the hack.
The hackers who compromised Uber’s data contacted SullivanIn in November 2016. Through e-mail, the attackers demanded a six-figure payment in exchange for not destroying the data that they had stolen.
In the message, the criminals said that they had accessed and downloaded a database from the platform with private information on users and drivers.
In 2016, the hackers used their own GitHub verification tool to access other sites, according to court records. In this way, they targeted company employees whose accounts they would hack to gain access to sensitive information.
They accessed other people’s accounts and then searched for tools on the Amazon Web Services (AWS) computing services platform. After that, the hackers connected to the backends (codes running the operation of an application with access to the databases) of Uber. They aimed to obtain confidential information from 57,000 customers and 600,000 drivers.
According to prosecutors, Sullivan paid the hackers the required amount to buy their silence, rather than notifying the FTC of the incident, as required by law.
When that happened, the agency in charge of consumer rights in the United States was inspecting the security of Uber’s technology platform concerning a data breach that took place in 2014.
Sullivan paid the amount of money that the hackers demanded and concealed it as if it were a reward that Uber was granted. The company provides monetary incentives to those who find vulnerabilities in the technology platform before cybercriminals can exploit them.
Contributors need to sign an information nondisclosure agreement so that Uber can process vulnerability rewards. This procedure would have made it possible to identify the hacker.
However, the executive reportedly forced the criminals to renounce the nondisclosure agreement. Besides, the hackers signed a document where they swear that they did not steal Uber data, which was not true, at the insistence of Sullivan.
Sullivan paid the hackers an amount of money that far exceeded what Uber had paid through the rewards program, which did not cover the theft of private user and driver data.
Trues and Lies about Safety and Hacking at Uber
After becoming the CEO of Uber in 2017, Dara Khosrowshah learned about the hack that had occurred the previous year, reported it to the authorities, and then dismissed Sullivan. The former Uber chief security officer is now suspect of obstructing justice and misrepresenting a crime. He can go to prison for eight years if justice finds him guilty.
When Sullivan joined Uber in 2015, he began working as a federal prosecutor in hacking and intellectual property law. He had held other positions at companies such as PayPal and EBay Inc. before becoming Facebook’s chief security officer in 2008. Currently, he is head of information security at Cloudflare.
According to Uber security personnel, Sullivan paid the ransom to ensure that the hackers did not destroy the data. These included information on the driver’s licenses of the drivers who offer their services through the company’s application.
Brad Williams, Sullivan’s spokesman, said that the charges have no basis. “If it had not been for Mr. Sullivan and his team, it would never have been possible to identify the individuals responsible for this incident,” he said.
The investigation into the case found that Brandon Glover (26), from the United States, and Vasile Mereacre (23), from Canada, were the hackers that attacked Uber in 2016. Both criminals pleaded guilty in 2019.
By Willmen Blanco
