Uber Exec Allegedly Concealed 2016 Hack With $100K BTC ‘Bug Bounty’ Pay-Off
A former CSO is accused of trying to conceal Uber’s involvement in a 2016 data breach by paying the hackers $100K in Bitcoin. Uber Exec Allegedly Concealed 2016 Hack With $100K BTC ‘Bug Bounty’ Pay-Off
Joseph Sullivan, a former Chief Security Officer at Uber, allegedly tried to cover up a 2016 hack of sensitive data by funneling a hush money payment of $100,000 in Bitcoin through a bug bounty program.
The hackers had obtained the drivers’ license numbers of roughly 600,000 Uber drivers as well as private information for roughly 57 million users.
According to an Aug. 20 announcement from the U.S. Department of Justice (DoJ), Sullivan has been charged with obstruction of justice and misprision of a felony in connection with the 2016 hack. The former CSO is accused of taking “deliberate steps to conceal, deflect, and mislead” the Federal Trade Commission (FTC) regarding the data breach and the associated $100,000 Bitcoin (BTC) hush money payment.
The DoJ accused him of preventing knowledge of the breach from being reported to the FTC by funneling the Bitcoin hush money through a bug bounty program. Ordinarily such programs are used for legitimate payments to ‘white hat’ hackers who report on a company’s security issues, not those who actually obtain unauthorized data.
“We will not tolerate illegal hush money payments,” said U.S. Attorney David Anderson. “Silicon Valley is not the Wild West.”
The agency also alleges Sullivan tried to conceal the company’s involvement in the breach by asking the hackers to sign non-disclosure agreements falsely stating they had not obtained any personal data from Uber — even while they were anonymous.
When an investigation unmasked two of the individuals responsible for the breach, the DoJ alleges Sullivan still asked for the hackers to sign NDAs rather than report them.
Two of the hackers involved in the Uber breach pleaded guilty to charges of computer fraud conspiracy in October and are now awaiting sentencing.
Negotiating With Criminals
Companies are increasingly being forced to deal directly with cyber criminals — though most remain within the law while doing so. Representatives from U.S.-based corporate travel firm CWT were able to negotiate a 50% discount from hackers demanding a $10 million payment after they stole sensitive files from the company in July.
More recently, the University of California conducted a week-long negotiation with a NetWalker ransomware group after it shut down seven of the institution’s servers. The university was able to convince the group to come down from $3 million to $1 million using respectful and flattering language in their chats.
Former Uber Security Chief Charged Criminally In Connection With 2016 Hack
Joe Sullivan is accused of concealing details of massive breach from federal authorities.
Uber Technologies Inc.’s UBER 6.76% former chief security officer, Joe Sullivan, was charged Thursday for allegedly concealing from federal authorities details about the massive data breach the ride-hailing giant suffered in 2016.
Mr. Sullivan, a former federal prosecutor who is now chief security officer at internet services company Cloudflare Inc., NET 2.60% was fired by Uber in 2017 for his role in the data breach, which affected 57 million accounts.
At the time, Uber said Mr. Sullivan paid $100,000 to hackers via the company’s bug-bounty program, in an effort to conceal the breach.
Prosecutors say Mr. Sullivan concealed the breach even as the Federal Trade Commission was investigating a 2014 data breach at Uber. “We expect prompt reporting of criminal conduct,” U.S. Attorney David L. Anderson said in a statement, adding that “we will not tolerate corporate coverups. We will not tolerate illegal hush-money payments.”
Mr. Sullivan was charged in San Francisco on charges of obstruction of justice and failing to report a crime, the Department of Justice said in a press release. Mr. Sullivan faces up to five years in prison if found guilty of obstructing justice.
A spokesman for Mr. Sullivan said there was no merit to the charges. “From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber,” the spokesman said in a statement. “Those policies made clear that Uber’s legal department—and not Mr. Sullivan or his group—was responsible for deciding whether, and to whom, the matter should be disclosed.”
The charges against Mr. Sullivan are unusual, said Randy Gainer, a retired lawyer who formerly specialized in data-breach law.
While chief security officers often take the blame for the missteps that lead to a breach, “I’m not aware of another incident where a security officer has been criminally charged,” Mr. Gainer said. But just as unusual, he said, was Mr. Sullivan’s apparent decision to not report the incident even after hackers had allegedly accessed the data.
Uber has said the hack exposed the names, emails and phone numbers of millions of riders, and about 600,000 drivers’ license numbers. The company, when it disclosed the hack, said financial information such as credit cards and Social Security numbers weren’t taken and that it had identified the hackers and obtained assurances they had destroyed the stolen data.
Uber continues to cooperate fully with the Justice Department’s investigation, a company spokesman said in an emailed statement.
Dealing with the aftermath of the hack came at a tumultuous time for Uber. Dara Khosrowshahi had only recently taken over as chief executive after a year of controversies and missteps that took place under his predecessor and Uber co-founder Travis Kalanick. Uber in 2017 also fired its top driverless-car executive, Anthony Levandowski, whom Google parent Alphabet Inc. had accused of intellectual-property theft. The former Uber and Google executive this month was sentenced to 18 months on one count of stealing trade secrets.
When the 2016 hack took place, Uber was already under scrutiny by the FTC over a data breach two years earlier. Mr. Sullivan, at the time, was involved in answering the regulator’s questions about the 2014 incident and then tried to cover up the latest incident with the payment made via the digital currency bitcoin, the Justice Department said.
After being approached in 2016 by hackers demanding a six-figure payout, Uber’s security team soon concluded that the hackers were able to access Uber’s data in “almost the identical manner the 2014 attacker had used,” prosecutors said in court filings.
The two hackers accessed Uber’s data by first using stolen credentials on the software-development site GitHub to gain access to Uber’s source code. There they found the digital keys that were necessary to download the company’s data, prosecutors say.
Instead of refusing the extortion payment and disclosing the breach, Mr. Sullivan elected to pay the hackers through Uber’s bug-bounty program and forced them to sign non-disclosure agreements, prosecutors say. The two men pleaded guilty to hacking charges last year, the Justice Department said.
Uber didn’t disclose any of these details of the 2016 breach to the FTC, and instead claimed that it had made a number of significant improvements to its data security since the 2014 incident, prosecutors say. “Uber relied on these supposed improvements in arguing that the FTC should not bring a claim against the company,” prosecutors state.
An FTC spokeswoman declined to comment on the charges against Mr. Sullivan.
Cloudflare’s chief executive, Matthew Prince, said on Twitter that he hoped the matter would be resolved quickly.
Uber Exec Allegedly Concealed,Uber Exec Allegedly Concealed,Uber Exec Allegedly Concealed,Uber Exec Allegedly Concealed,Uber Exec Allegedly Concealed,Uber Exec Allegedly Concealed,