Former Uber CSO charged for 2016 hack coverup ZDNET

pUS officials talk about all the methods the Chinese government and its agents have been using to target US companies and universities to steal intellectual propertyppUbers former chief security officer was charged on Thursday for covering up the companys 2016 security breach during which hackers stole the personal details of 57 million Uber customers and the details of 600000 Uber driversppProsecutors in Northern California are charging Joe Sullivan 52 who served as Uber CSO between April 2015 and November 2017 when Uber changed its CEO and most of its management teamppAccording to court documents DOJ officials claim that Sullivan took deliberate steps to conceal deflect and mislead the Federal Trade Commission about the 2016 breachppSpeaking at a press conference today see video below US Attorney for the Northern District of California David Anderson said that by hiding the Uber hack from authorities and management Sullivan indirectly helped the hackers breach other companiesppThis office charged the hackers and last year and they pleaded guilty Anderson said In their guilty pleas the hackers admitted to hacking other companies using similar techniques to those used in the Uber hackppIf Sullivan had promptly reported the Uber hack those other hacks of those other companies may have been prevented Anderson saidppBut to understand what happened behind the scenes we must combine details put forward by the DOJ today and court documents from the DOJs case against the Uber hackers namely Brandon Glover 26 an American from Florida and Vasile Mereacre 23 a Canadian from TorontoppPer these two sets of documents the Uber hack took place after the two hackers used a custombuilt tool to gain access to GitHub accountsppGlover and Mereacre specifically targeted the accounts of employees working for large corporations gained access to their GitHub profiles and then searched through the employees projects for sensitive passwords and credentialsppThis is how the two hackers got their hands on Amazon Web Services AWS credentials for Ubers backend infrastructure where they found and subsequentially downloaded details for 57 million Uber customers and 600000 Uber driversppPer court documents the two hackers reached out to Sullivan via email claiming they found a major vulnerability provided a sample of the stolen data and then requested a 100000 payment in bitcoin to reveal the companys security holeppCourt documents unsealed today reveal that at the time Sullivan received this email on November 14 Sullivan had just submitted a written testimony to the FTC about a 2014 security breach during which a hacker stole the names and drivers licenses of about 50000 driversppProsecutors say that Sullivan and his security team confirmed the validity of the hackers sample data within 24 hours of receiving the email but instead of notifying the FTC of this new security breach Sullivan agreed to pay the hackers hush moneyppCourt documents filed today show conversations Sullivan had with thenUber CEO Travis Kalanick about the security breach with Kalanick giving the goahead for the hackers to receive their ransom in the form of a bug bounty program payoutppInvestigators say that Sullivan proceeded with this plan and arranged for the hackers to sign a nondisclosure agreement even without knowing their real names This initial contract was signed and the bounty paid in December 2016 via the companys HackerOne bug bounty programppHowever US prosecutors say that when Ubers security team tracked down and identified the two hackers instead of notifying authorities Sullivan had the two hackers resign their confidentiality agreement in their true namesppFurthermore the DOJ complaint claims that Sullivan insisted on the hackers signing a contract that claimed they had not taken any of Ubers data knowing this statement was falseppWhen an Uber employee asked Sullivan about this false promise Sullivan insisted that the language stay in the nondisclosure agreements the DOJ said today in a press releaseppThings then calmed down but only until August 2017 when Ubers board ousted Kalanick and replaced him with Dara KhosrowshahippThe DOJ says that Sullivan notified the new management team about the 2016 security incident but continued to cover up the hackppSpecifically Sullivan failed to provide the new management team with critical details about the breach the DOJ said In September 2017 Sullivan briefed Ubers new CEO about the 2016 incident by email Sullivan asked his team to prepare a summary of the incident but after he received their draft summary he edited it His edits removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identifiedppBut despite the issue being resolved the new Uber CEO disclosed the breach to the public in November 2017 This disclosure was followed by an FBI investigation which quickly identified and arrested the hackers both of which pleaded guilty in October 2019ppAs the FBI investigated and gained access to the companys internal communications they also started to understand Sullivans role in covering up the 2016 breachppSilicon Valley is not the Wild West said Anderson today We expect good corporate citizenship We expect prompt reporting of criminal conduct We expect cooperation with our investigations We will not tolerate corporate coverups We will not tolerate illegal hush money paymentsppHowever in a message today a spokesperson for the former Uber CSO said the DOJs case had no legal meritppThere is no merit to the charges against Mr Sullivan who is a respected cybersecurity expert and former Assistant US Attorney This case centers on a data security investigation at Uber by a large crossfunctional team made up of some of the worlds foremost security experts Mr Sullivan included If not for Mr Sullivans and his teams efforts its likely that the individuals responsible for this incident never would have been identified at all From the outset Mr Sullivan and his team collaborated closely with legal communications and other relevant teams at Uber in accordance with the companys written policies Those policies made clear that Ubers legal department and not Mr Sullivan or his group was responsible for deciding whether and to whom the matter should be disclosedppSullivan was charged today with obstruction of justice and misprision of a felony in connection to the 2016 hack and subsequent coverup If found guilty on both charges Sullivan risks maximum prison sentences of five and three years respectivelyppAs NPR pointed out today before serving as a CSO at Uber Sullivan had previously spent two years prosecuting computer hacking crimes as an assistant US Attorney in the very same office that charged him todayppUpdated at 2040pm ET with statement from Mr Sullivans spokespersonp