Getty Images/Tetra images RF

Former Uber CSO Joe Sullivan found guilty in breach cover-up

Sullivan was convicted of obstruction of proceedings of the Federal Trade Commission and misprision of felony in connection with the cover-up of Uber's 2016 data breach.

Former Uber CSO Joe Sullivan was convicted Wednesday evening on charges stemming from a cover-up of a 2016 data breach at the ride sharing giant.

A federal jury found Sullivan guilty of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of a felony in connection for attempting to conceal the Uber breach and pay off the hackers through a bug bounty award. The breach occurred when two hackers, Brandon Charles Glover and Vasile Mereacre, used stolen credentials and illegally accessed and downloaded a trove of data from an Amazon S3 bucket that included records for approximately 57 million Uber users and 600,000 driver license numbers.

At the time of the 2016 breach, the FTC was investigating Uber over a separate attack on the company in 2014 that followed a similar track; threat actors used an AWS access key that was exposed in a public GitHub repository. They obtained records for approximately 100,000 Uber drivers, including driver's license numbers, physical addresses and email addresses.

Sullivan, who is currently CSO at Cloudflare and who previously worked as a federal prosecutor with the Department of Justice (DOJ), joined Uber in spring 2015 as CSO. According to the DOJ, he was tasked with leading Uber's response to the 2014 breach and the FTC inquiry. On Nov. 4, 2016, Sullivan testified under oath to the FTC about Uber's security practices, specifically the company's effort to protect sensitive data stored in AWS S3 buckets.

But 10 days later, Sullivan was contacted by the hackers behind the 2016 breach, who informed him they had stolen a massive amount of Uber user data. Authorities claim the hackers demanded a large ransom payment in exchange for deleting the stolen data. Instead of reporting the incident to federal authorities, the DOJ said Sullivan instead designed a scheme to conceal the breach and pay Glover and Mereacre $100,000 under the guise of a legitimate bug bounty reward in exchange for signing nondisclosure agreements about the attack.

However, Glover and Mereacre were indicted in 2018 on charges of attempted extortion in connection with a separate hack of Lynda.com (now LinkedIn Learning). The two men later pled guilty to hacking and extortion charges for both the Lynda.com and Uber breaches.

Timeline of Uber data breach and cover-up
A timeline of Uber's 2016 data breach and cover-up involving former CSO Joe Sullivan.

A long-running scandal

According to federal prosecutors, Sullivan worked to conceal the breach from the FTC even as Uber was entering into a settlement agreement with the agency regarding the 2014 breach. In addition, the former CSO also hid the details of the 2016 breach from Uber CEO Dara Khosrowshahi, who had joined the company in 2017, as well as the company's legal team and general counsel.

"Technology companies in the Northern District of California collect and store vast amounts of data from users," said U.S. Attorney Stephanie M. Hinds in the DOJ announcement Wednesday. "We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers.

"Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted."

The details of the 2016 Uber breach first came to light in 2017 when Khosrowshahi published an open letter and an apology to Uber customers. On the same day, Bloomberg reported that Sullivan and Craig Clark, a lawyer on Sullivan's security team, were fired for their roles in a cover-up of the breach.

As a result of the revelations, the FTC withdrew from its initial proposed settlement with Uber in 2018. Later that year, the agency approved a revised settlement with the company that did not include civil penalties but required Uber to implement a privacy program to protect user data. Uber was also required to obtain biennial independent, third-party assessments of its privacy program for the next 20 years and to submit those independent assessments to the FTC.

Sullivan was eventually charged in 2020 in the same district -- the Northern District of California -- where he once worked as a federal prosecutor. Sullivan's case became a closely watched affair for the infosec industry. The DOJ said his sentencing will be scheduled at a later date.

After being fired by Uber, Sullivan joined Cloudflare in spring 2018 as the company's first CSO. TechTarget Editorial contacted Cloudflare for comment, but the company had not responded at press time.

Dig Deeper on Compliance