Former Uber CSO convicted of covering up massive 2016 data theft

Joe Sullivan, Uber’s former chief security officer, has been found guilty of illegally covering up the theft of Uber drivers and customers’ personal information.

Sullivan, previously a cybercrime prosecutor for the US Department of Justice, was charged two years ago with obstruction of justice and misprision – concealing a felony from law enforcement. He was convicted on both counts today.

On November 21, 2017, Uber CEO Dara Khosrowshahi issued a statement acknowledging that in late 2016, miscreants had broken into the app giant’s infrastructure and made off with 57 million customer and driver records. Sullivan, along with Craig Clark, legal director of security and law enforcement, were fired as a result.

Sullivan, according to court documents, learned of the theft in November 2016, about ten days after he had provided testimony to the US Federal Trade Commission about a 2014 cyberattack on Uber. Concerned that another data security breach would harm the company, Sullivan tried to cover up that 2016 heist by trying to pass off a ransom payment, made to the thieves to recover the data, as a bug bounty award.

California law requires companies to disclose breaches of data security, though Sullivan was charged under federal statutes. The obstruction charge is because Sullivan impeded the FTC’s investigation of Uber’s security practices.

Evidence in the case indicates that Travis Kalanick, CEO at the time of the 2016 theft, was made aware of the cyber-pilferage shortly after Sullivan learned about it and discussed his strategy for handling it. Kalanick has not been charged.

Uber ultimately made two $50,000 payments to the intruders in December 2016. A month later, after managing to identify one of them, an Uber representative met the man in Florida and had him sign a confidentiality agreement.

When Khosrowshahi took over in September 2017 after the departure of Kalanick, Sullivan allegedly “lied to him about the circumstances surrounding that data breach,” according to the Feds.

“Sullivan instructed the [security] team that knowledge of the breach was to be disclosed outside the security team only on a need-to-know basis and the company was going to treat the incident under its ‘bug bounty’ program,” an FBI affidavit [PDF] against Sullivan explains.

During the trial, David Angeli, Sullivan’s attorney, disputed that, saying Sullivan disclosed the breach to Khosrowshahi almost immediately. Angeli did not immediately respond to a request for comment.

The two cyber-robbers involved, Brandon Charles Glover and Vasile Mereacre, pleaded guilty in 2019, and Mereacre testified at Sullivan’s trial last month that he and his partner wanted to extort money from Uber. The two have yet to be sentenced, which may follow from the government’s desire to have their testimony.

The judge handling Sullivan’s case has not yet set a sentencing date.

“The entire situation is extremely unfortunate for Uber and the broader legal/security communities,” David Lindner, CISO at Contrast Security, told us.

“What Uber did was cover up a breach through means of hiding it as a bug bounty submission. The conviction of the security chief is a good start but for what was disclosed there should be even more accountability of the executives and even board members.” ®