Joseph Sullivan, the former Chief Security Officer of Uber Technologies, Inc. (“Uber”), was convicted on Wednesday October 5, 2022 on charges of covering up data breach. According to court records Sullivan’s wad involved in two separate hacks of Uber’s databases. While Sullivan was hired as Uber’s Chief Security Officer (“CSO”) in April 2015 he was involved in two hacks: one in 2014 and another in 2016. When Sullivan was hired, Uber disclosed to the FTC that it had been the victim of a data breach in 2014 and that the breach was related to the unauthorized access of approximately 50,000 consumers’ personal information, including their names and driver’s license numbers.
In May 2015, the month after Sullivan was hired, the FTC served a detailed Civil Investigative Demand on Uber demanding extensive information about any other instances of unauthorized access to user personal information, and information regarding Uber’s broader data security program and practices. In his new role as CSO, Sullivan supervised Uber’s responses to the FTC’s questions, participated in a presentation to the FTC in March 2016, and testified under oath, at length, to the FTC on November 4, 2016, regarding Uber’s data security practices. Sullivan’s testimony included specific representations about steps he claimed Uber had taken to keep customer data secure.
Ten days after his FTC
testimony, Sullivan learned that Uber had been hacked again. The hackers
reached out to Sullivan directly, via email, on November 14, 2016. The hackers
informed Sullivan and others at Uber that they had stolen a significant amount
of Uber user data, and they demanded a large ransom payment from Uber in
exchange for their deletion of that data. Employees working for Sullivan verified
the accuracy of these claims and the massive theft of user data, which included
records on approximately 57 million Uber users and 600,000 driver license
numbers.
After learning the extent of the 2016 breach and rather than reporting it to the FTC, any other authorities,, Sullivan told a subordinate that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist.” Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack. Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers had refused to provide their true names. Uber was ultimately able to identify the two hackers in January of 2017 and required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else. Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies.
Despite knowing that Uber
had suffered another data breach directly responsive to the FTC’s inquiry,
Sullivan continued to work with the Uber lawyers handling or overseeing that
inquiry, including the General Counsel of Uber, and never mentioned the
incident to them. Instead, he touted the work that he and his team had done on
data security. Uber ultimately entered into a preliminary settlement with the
FTC in summer 2016, supported fully by Sullivan, without disclosing the 2016
data breach to the FTC.
In Fall 2017, Uber’s new
management began investigating facts surrounding the 2016 data breach. At the
time Sullivan lied, falsely telling the new CEO that the hackers had only been
paid after they were identified and deleting from a draft summary prepared by
one of his reports that the hack had involved personally identifying
information and a very large quantity of user data. Sullivan lied again to
Uber’s outside lawyers conducting an investigation into the incident.
Nonetheless, the truth about the breach was ultimately discovered by Uber’s new
management, which disclosed the breach publicly, and to the FTC, in November
2017.
In finding Sullivan guilty,
the jury concluded he obstructed justice, and that he knew that a federal
felony had been committed and took affirmative steps to conceal that felony.
A Teaching Moment. I often argue that a security professional’s
worse nightmare is the Inside Threat:
Insiders with motive have Motive, Means and Opportunity (MOM) to commit
a crime. In Sullivan’s case, the Inside
Threat is a second order effect and not too bright: He brought his subordinates on board with not
visible incentive, other than the implicit threat of being fired. Yesterday,
the FBI Boston Office released a “Trust
In Me” public service announcement.
During the announcement, Joseph R. Bonavolonta, Special Agent in Charge
of the FBI Boston Division said “The
first step towards protecting yourself from cyber incidents is to develop a
relationship with the FBI. Doing so enables you to identify who to call in the
event you do suffer a cyber incident, granting quick and efficient access to
our rich network of resources. Cybersecurity is national security, and by
working together and reporting these incidents to us, you are working to help
prevent these bad actors from victimizing others, and potentially from
re-victimizing you.” I disagreed with Mr. Bonavolonta then and
now. With all due respect to Special Agent Joseph R. Bonavolonta, the first step towards
protecting yourself from cyber incidents is not to develop a relationship with
the FBI. While a relationship with the FBI is important, given the
trust and competency issues: . For example, The FBI’s Cyber Guardian system “rather than a beacon of trust, as the
moniker implies, an audit report from the Justice Department’s internal
watchdog paints a picture of a guardian that is not dependable, given to simple
errors and late with needed information.” The FBI’s email servers was
previously hacked, resulting in spam emails being sent to the public
that appeared to be from the agency and the Department of Homeland
Security. Instead, we first recommend a review of the $1.00 fence for the
$1,000 horse. There are two types of businesses; Those
who know they have been victims of security breaches and those that
don’t. Why it is important to identify and prioritize the stored
information aka as intellectual property. We also suggest a paradigm
change: The higher the trust level in your computer, the least
trust. The people you trust the most, are the most dangerous. This
is known as the Inside Threat, which we have been preaching
for years, but the FBI often leaves out: In remarks
prepared April 27, 2022 for delivery to the Domestic Security Alliance Council,
FBI Director Christopher Wray finally referred to the Inside Threat and made it clear the counterintelligence threat
posed by China is top of mind and " nothing presents a broader, more
severe threat to our ideas, our innovation, and our economic security than the
People’s Republic of China.".
Number three, develop a relationship with
the FBI. In the Uber case, bringing in
Mr. Sullivan to Uber at the highest level of trust, management should have
treated him with the least trust. The accounting issue should have been a big
red flag for management as Uber paid the hackers $100,000 in bitcoin in
December 2016. Who signed off on the payment? Where were the lawyers.
No comments:
Post a Comment