Who knew what, when? —
Joe Sullivan says it wasn’t his decision to keep the FTC in the dark.
Timothy B. Lee
Federal prosecutors have charged former Uber security chief Joe Sullivan with obstruction of justice for hiding a 2016 data breach from Federal Trade Commission investigators. Sullivan is now the chief security officer at Cloudflare.
In an emailed statement, a spokesman for Sullivan said the government’s charges have “no merit.”
“From the outset, Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies,” the spokesman wrote. “Those policies made clear that Uber’s legal department—and not Mr. Sullivan or his group—was responsible for deciding whether, and to whom, the matter should be disclosed.”
The criminal complaint, filed Thursday, suggests that Uber’s then-CEO Travis Kalanick was aware of the breach and Sullivan’s efforts to cover it up. It also concedes that Uber’s general counsel may have been aware of the breach by April 2017. But it argues that Sullivan kept others involved in Uber’s FTC response in the dark about the incident.
Two breaches, two years apart
In 2014, Uber suffered a data breach after hackers found cloud storage credentials hard-coded in Uber source code that an Uber engineer accidentally published on GitHub. The credentials provided access to live data stored on Amazon’s S3 cloud storage service. The hackers gained access to names and driver’s license numbers for around 100,000 Uber drivers, as well as a much smaller number of bank account and Social Security numbers.
The breach triggered an investigation by the Federal Trade Commission. In November 2016, the FTC interviewed Sullivan. He had joined Uber in 2015 after five years as Facebook’s chief security officer (we interviewed him in 2013 and 2014), so he hadn’t been around during the 2014 breach. But as Uber’s new security chief, it was his job to explain the situation to the FTC’s investigators.
According to the criminal complaint, Sullivan “elaborated that it was common at the time to write access IDs and other secrets directly into code when that code needed to call for information from another service.”
Ten days after his testimony, Sullivan learned that Uber had suffered a second breach that was a near replay of the first one. This time, a hacker reportedly stole credentials to gain access to Uber’s private code on GitHub. And that code still had some hard-coded Amazon S3 credentials. The hackers gained access to around 600,000 names and drivers’ license numbers.
Uber paid the hackers to stay quiet
Uber’s security team immediately recognized that it would be embarrassing to announce a second breach while the FTC was still investigating the first one. “Information is extremely sensitive and we need to keep this tightly controlled,” one internal document said.
So Uber decided to treat the breach as part of its bug bounty program. Under that program, Uber pays white-hat hackers for information about vulnerabilities in its software. Ordinarily, payments are less than $10,000 and hackers aren’t supposed to exploit vulnerabilities to access user data. And in bug bounty cases, hackers are allowed to publicly disclose a vulnerability once Uber has fixed the vulnerability.
But Uber’s lawyers wrote a special contract for these hackers. In exchange for an unusually large $100,000 payment, the hackers signed a strict non-disclosure agreement. The deal asked hackers to state—falsely—that they had not accessed any user data.
According to prosecutors, Kalanick was aware of this plan. At 1am on November 15, Sullivan texted Kalanick. “I have something sensitive I’d like to update you on if you have a minute,” he wrote.
Ten minutes later—and presumably after a phone conversation—Kalanick texted Sullivan back. “Need to get certainty of what he has, sensitivity/exposure of it and confidence that he can truly treat this as a 🐛 bounty situation… resources can be flexible in order to put this to bed but we need to document this very tightly.”
It was a full year before the FTC learned about the 2016 breach. Kalanick was forced out as Uber’s CEO in June 2017 and replaced by Dara Khosrowshahi a couple of months later. When Khosrowshahi learned about the situation, he fired Sullivan and reported the new breach to the FTC. The FTC withdrew a tentative settlement agreement and the investigation dragged on for another year before the case was finally settled in 2018.
The feds say Uber’s cover-up may have prevented law enforcement from bringing the hackers to justice earlier. In the year between the breach and Uber’s disclosure of it, the pair used similar techniques to hack several other large companies. If Uber had reported the breach promptly, it’s possible that the feds would have caught the hackers responsible much earlier and saved some other companies from the same fate.
Who knew what, and when?
The government’s complaint doesn’t accuse Sullivan of directly lying to the FTC. But it portrays Sullivan as the mastermind of Uber’s efforts to keep the FTC in the dark.
Sullivan’s press statement suggests that he will fight the charges by arguing that he wasn’t personally responsible for Uber’s handling of the situation. The government’s brief acknowledges that Kalanick also knew the breach occurred and authorized an unusually large payment to the hackers to keep it under wraps. But the government claims that few others at Uber knew about it.
For example, Sullivan was consulted on a draft of a letter Uber sent to the FTC in April 2017. It touted Uber’s record of cooperation with the agency, including its practice of voluntarily submitting relevant information to the agency. In response, Sullivan wrote, “Letter looks ok to me.”
The final version of that letter touted the new security measures Uber had put into place since the 2014 breach, including “extensive additional protections for the data it stores [Uber] stores in the S3 datastore” and “company-wide improvements in credential protection and management.”
FBI agent Mario Scussel, the author of the government complaint, wrote that “based on my investigation, I do not believe that any of the individuals responsible for drafting the April 19 letter to the FTC had been made aware of the 2016 data breach.” But in a footnote, he hedges this broad statement, acknowledging that Uber’s general counsel may have known the breach occurred. He added, “I have seen no evidence that the general counsel was aware of the details, such as the nature of the attack or the PII that was stolen.”