Last week, the Department of Justice charged Uber’s former chief security officer Joseph Sullivan with obstruction of justice for trying to cover up a data breach the ride-share service experienced in late 2016. Uber first discovered the breach of personal information belonging to more than 57 million customers and drivers that year, but the company’s leadership didn’t immediately report the incident to the public or any authorities. Instead, it paid the perpetrators $100,000 in exchange for their silence and didn’t announce the breach until November 2017. That decision violated the data breach notification laws in every state requiring that companies disclose the theft of their customers’ personal information. In 2018, Uber agreed to a $148 million fine as part of a settlement with the attorneys general from all 50 states and the District of Columbia.
We’ve known those broad outlines of the story for some time, but what hasn’t been clear until the recent charges was how exactly Uber came to decide to pay off the hackers rather than release the information about the breach. The criminal complaint filed against Sullivan sheds light on what apparently happened at Uber in 2016 and offers a stark warning about how firms should not handle a data breach.
Sullivan served as Uber’s CSO from April 2015 through November 2017. During that time, he helped the company respond to a Federal Trade Commission investigation of an earlier data breach the firm experienced in 2014, so he was intimately familiar with the process for investigating breaches and even provided sworn testimony to the FTC about Uber’s data security practices. But in November 2016, just 10 days after providing that testimony, according to the complaint, Sullivan learned about the subsequent 2016 breach of millions of users’ information and promptly began to cover it up.
On Nov. 14, 2016, Sullivan received an email from firstname.lastname@example.org (get it?) claiming that the sender had found a “major vulnerability” in Uber’s database of customer information and had been able to “dump uber database and many other things,” indicating that they had been able to access all the information stored in the database and “dump” it onto their own servers. (A “data dump” typically refers to the transfer or publication of a large quantity of information.) Sullivan’s team commenced an investigation and discovered, within a day, that someone had indeed accessed a database of driver’s license numbers of 600,000 Uber drivers. Even worse, the breach had been perpetrated in almost exactly the same way as the earlier incident in 2014: The attackers who sent the email from the John Doughs account had stolen credentials that gave them access to Uber’s source code on Github and were able to find, in that code, an Amazon Web Services credential that they could use to access the company’s AWS databases. Embarrassingly, in his testimony to the FTC at the hearing on Nov. 4, 2016, Sullivan had highlighted the importance of key management and not hardcoding access credentials into source code as “an important part of an overall security program for any company.”
In the document that Uber used to track the progress of its investigation of the 2016 breach, one team member commented on Nov. 14, “access key has not be rotated [sic] since [it was created in 2013]. None of the people are at the company any longer. Task was to rotate keys within S3 to ensure this could not happen in the future but there are thousands of tasks. Joe was just deposed on this specific topic and what the best or minimum practices that any company should follow in this area.”
Another comment in the same document stated, “Information is extremely sensitive and we need to keep this tightly controlled. Discussion with other Engineers must be tightly controlled. Joe is communicating directly to the A-Team.” According to the complaint, Sullivan and the Uber CEO at the time, Travis Kalanick, were the only members of the company’s leadership team who were made aware of the stolen driver’s license numbers, however. There are no records of the conversation between Sullivan and Kalanick, but on Nov. 15, 2016, Sullivan texted Kalanick, “I have something sensitive I’d like to update you on if you have a minute,” and the two then had a series of phone and FaceTime conversations. Kalanick later responded via text: “Need to get certainty of what he has, sensitivity/exposure of it and confidence that he can truly treat this as a [bug emoji] bounty situation … resources can be flexible in order to put this to bed but we need to document this very tightly.”
A later comment in the tracker document highlighted just how secretive the company was being about the discovery of the new breach. It stated:
What is our position to the company to talk about what we are doing? We had a data breach in 2014, we learned our lesson and we need to get our house in order. Hundred service centers must rotate their secrets. Our common story has to be:
- This investigation does not exist.
- We are doing this in order to better protect our information.
The complaint alleges that it was ultimately Sullivan’s decision to handle the incident under the company’s bug bounty program, choosing to pay off the perpetrators with a $100,000 Bitcoin payment in December 2016. That same month, Uber was preparing an update to the FTC about its data security practices and employee access to personal information, as part of the commission’s investigation of the 2014 breach. But Sullivan did not include any information about the more recent incident in the report, nor did he inform the attorneys working on the FTC investigation for Uber about that incident.
In exchange for the $100,000 payment, which was processed through bug bounty coordination firm HackerOne, Sullivan apparently demanded that the hackers sign a nondisclosure agreement stating that they had not accessed or stored any Uber customer or driver data during their intrusion, even though they had explicitly told the company they had done so (and Uber had verified that access independently). “You promise that you did not take or store any data during or through your research and that you have delivered to us or forensically destroyed all information about and/or analyses of the vulnerabilities,” the NDA stated. The hackers initially signed the document using pseudonyms, but in January 2017, after making the payment, Uber’s security team was able to identify the two perpetrators and followed up with them to sign the same nondisclosure agreement under their real names. In October 2019, both men who perpetrated the breach and received the subsequent payment pleaded guilty to trying to extract bounties from Uber and LinkedIn.
Then, in August 2017, when Uber hired new CEO Dara Khosrowshahi, Sullivan initially lied to his new boss about the breach, the complaint alleges. For instance, his staff had drafted a summary of the breach that stated the perpetrators had accessed databases that “contained potentially all rider and driver data in plaintext” and that the hackers “still had possession of our data” when they emailed Sullivan in November 2016. Sullivan edited that summary to state that they hackers had gained access only to “some rider and driver data” and deleted the part about the intruders ever actually taking the data. The summary also incorrectly stated that the $100,000 had been paid only after Uber identified the real identities of the perpetrators. Around the time that the company finally disclosed the incident to the FTC in November 2017, it also fired Sullivan, who currently works as chief information security officer at Cloudflare.
Sullivan faces up to eight years in prison if convicted of all the charges. I’ve never been a strong proponent of jailing executives for failing to prevent data breaches—I’ve argued against policy proposals to that effect in the past. I still think it’s unreasonable and counterproductive to charge executives with crimes for failing to protect their customers’ data, but Sullivan’s behavior, as portrayed by the criminal complaint, goes well beyond failing to implement strong security. What the complaint describes is a deliberate, extended cover-up of a clear, independently verified data breach of personal information. And for that type of purposefully malicious activity, it’s not unreasonable to charge an executive with crimes or send them to jail.
One of the reasons I think it’s a bad idea to punish executives too harshly for poor data security is that there are not clear rules for how, exactly companies are required to protect sensitive information. But there are rules for reporting data breaches, codified in breach notification laws, and Sullivan knew—or certainly should have known—exactly what he was required to do in the aftermath of such an incident. And it’s not as if he ever faced very severe consequences for his actions. Sure, he lost his job at Uber—but promptly found another less than a year later, running security for Cloudflare, a similarly high-profile tech firm, where he continues to be employed. With luck, the charges filed against Sullivan will give some teeth to statutory breach reporting requirements and send a strong message that covering up data breaches is both more difficult and more damaging than it may appear.
Update, Aug. 27, 2020: Bradford Williams, a spokesperson for Joseph Sullivan, has sent Slate the following statement: ”There is no merit to the charges against Mr. Sullivan. … If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all. From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department—and not Mr. Sullivan or his group—was responsible for deciding whether, and to whom, the matter should be disclosed.”