Prosecutors file additional charges against former Uber security chief for ‘covering up’ 2016 data breach

John Leyden January 05, 2022 at 17:10 UTC

Updated: January 06, 2022 at 09:04 UTC

Alleged misuse of bug bounty and failure to disclose the offense results in criminal prosecution

Additional charges have been added to the indictment against a former Uber security manager for his alleged involvement in covering up a hack on the ride-sharing app in 2016.

Wire fraud has joined the list of charges against Joseph Sullivan, 52, of Palo Alto, Calif., for his alleged cover-up of a 2016 attack that uncovered 57 million users and 600,000 driver records.

The latest charges – handed down in a superseding indictment returned by a federal grand jury – are in addition to earlier charges of obstruction of justice and “misprison of a felony.”

Uber breach

Unauthorized hackers gained access to the personal data of 57 million Uber users and the driver’s license information of around 600,000 drivers in October 2016.

CONTEXT Uber security chief accused of ‘covering up’ data breach in 2016

The sensitive data was downloaded from a third-party cloud provider’s storage bucket and accessed by abusing credentials that an Uber engineer had inadvertently posted on a code-sharing website.

Prosecutors say Sullivan made a deal with hackers to keep the breach quiet and delete the stolen data they had in exchange for paying $100,000 in bitcoins to people who refused to give their real names. .

The two individuals involved were subsequently identified, arrested, charged and convicted of attacks on LinkedIn and Uber.

Retrospective bug bounty

Sullivan allegedly complied with an exorbitant demand for payment while disguising it as a bug bounty payment and forcing hackers to misrepresent under fraudulent nondisclosure agreements.

As the US Department of Justice points out, bug bounties exist to stimulate the legitimate discovery and reporting of security issues rather than to cover the exchange of compromised data.

Learn about the latest information security news in the United States

California law requires companies operating in the state to notify residents of data breaches. The wire fraud allegations stem from Sullivan’s alleged attempt to defraud Uber drivers by failing to disclose the 2016 breach.

Prosecutors say the nondisclosure agreements incorrectly stated that the hackers did not take or store Uber’s data. Additionally, Sullivan sent an email to Uber’s then-newly-appointed chief executive who referred to the matter as a routine “security incident” rather than a (more serious) data breach.

“When hacks like this occur, state law requires notice to victims,” Acting U.S. Attorney Stephanie Hinds said in a statement. Statement from the US Department of Justice on the latest development in the closely watched case. “Federal law also requires truthful responses to official government requests. The indictment alleges that Sullivan did neither.

“We allege that Sullivan falsified documents to avoid victim notification and hid the seriousness of a serious data breach from the FTC, all to enrich his business,” Hinds added.

Sullivan is charged with three counts of wire fraud, obstruction of justice and misappropriation of a crime. Wire fraud charges carry a higher maximum jail sentence than other offences.

Sullivan’s arraignment on the new charges has not yet been scheduled and no plea has been entered.

So Uber — which was already under investigation for an earlier 2014 breach at the time of the second similar data leak — did not disclose the 2016 breach to consumers or Federal Trade Commission regulators. United States until November 2017, circumstances that ultimately led to censorship and $148 million data breach resolution with the FTC.

The 2014 breach led to the exposure of the names and license plate data of approximately 100,000 drivers.

YOU MIGHT ALSO LIKE Security Done Right: Celebrating Infosec Victories in 2021