|In what may be the first such case, the former security officer for a company is charged with two federal crimes in hiding the details of a subsequent breach from an agency investigating a first breach.|
The United States Attorney in Northern California has filed a criminal complaint against Uber’s former chief security officer for allegedly trying to conceal information from the Federal Trade Commission (FTC) in its investigation of a 2014 hack of the rise sharing company. Reportedly, former Uber Chief Security James Sullivan hid details on a 2016 hack from the FTC days after being deposed on the 2014 hack. This latter hack resulted in the personal information of 57 million people and 600,000 drivers, and Sullivan allegedly hid this breach from the leadership of Uber as well. The complaint hinted at other hacks the Uber hackers were able to execute, in large part, because Sullivan hushed up his company’s breach. This may be the first time the United States (U.S.) Department of Justice (DOJ) is seeking to hold criminally liable actions of an employee of a breached company and may be a means the U.S. government takes to prosecute those companies and employees that would hide or obscure hacks and other potentially negative events.
In the affidavit accompanying the complaint, a Federal Bureau of Investigation (FBI) agent asserted “when SULLIVAN learned that Uber’s systems had been hacked in approximately November 2016—approximately ten days after SULLIVAN had provided sworn testimony to the FTC—SULLIVAN engaged in a scheme to withhold and conceal from the FTC both the hack itself and the fact that the data breach had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers.” Sullivan purportedly hid the breach from Uber’s new leadership and “instructed his team to keep knowledge of the 2016 Breach tightly controlled.” Thereafter, Sullivan “instructed the team that knowledge of the breach was to be disclosed outside the security team only on a need-to-know basis and the company was going to treat the incident under its “bug bounty” program…[and] arranged for its bug bounty vendor to pay the hackers $100,000, which at the time was by far the largest bounty that Uber had ever paid through the program.” Sullivan “further insisted that the hackers agree to sign non-disclosure agreements (“NDAs”) in exchange for the $100,000 bounty payment that would supplement the standard terms of Uber’s bug bounty program.”
The FBI agent added:
- On November 21, 2017, Uber’s new CEO issued a press release stating that he had recently become aware of the details of the 2016 Breach. At approximately the same time, the 2016 Breach was disclosed to the FTC. By November 2017, Uber and the FTC had reached a tentative agreement resolving the FTC’s investigation, which included a draft complaint and consent order with various provisions Uber was required to comply with. The agreement was not yet final, and after the FTC learned of the 2016 Breach, it effectively withdrew from that tentative agreement.
- In light of the new information regarding the 2016 Breach, the FTC effectively withdrew its previous settlement terms and added further requirements to the resolution with Uber. The revised draft complaint included a recitation of facts related to the 2016 Breach, and the revised draft consent order withdrew certain concessions it had made to Uber and added a new, affirmative notification provision regarding any future breaches. The FTC gave final approval to the revised Complaint and Consent Order on October 26, 2018.
The FBI agent claimed
- [T]here is probable cause to believe that the defendant engaged in a cover-up intended to obstruct the lawful functions and official proceedings of the Federal Trade Commission. SULLIVAN intended that the cover-up would obscure from the proceedings before the FTC that Uber had been breached again in 2016 during the FTC’s pending proceedings. SULLIVAN further intended that the cover-up would obscure from the FTC’s proceedings that millions of additional individua ls had their personal data—kept by Uber—accessed and downloaded by hackers. It is my belief that SULLIVAN further intended to spare Uber and SULLIVAN negative publicity and loss of users and drivers that would have stemmed from disclosure of the hack and data breach.
- I further believe that there is probable cause to believe that SULLIVAN was aware of the illegal hack of Uber in 2016. Despite that knowledge, SULLIVAN did not report the illegal hack to law enforcement. Additionally, SULLIVAN took it upon himself and Uber to conceal and disguise the hack from law enforcement and from the public. In so doing, SULLIVAN and Uber prevented law enforcement from apprehending the hackers. Had SULLIVAN and Uber promptly reported the illegal hack to law enforcement, the hacks of multiple additional large tech companies and the theft of the personal data of millions of additional customers and users may have been prevented. The illegal hack was not disclosed to the FTC, to law enforcement, and to the public until new management took over these decisions at Uber.
The DOJ charged Sullivan with obstruction of justice and misprison of a felony and he faces a total of eight years in prison, a $500,000 fine and other possible punishment if convicted.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.