From Security Weekly Wiki
Jump to navigationJump to search


Ex-Uber chief security officer charged, accused of covering up theft of personal info from databases by hackers

You may recall when Uber suffered a security breach back in 2016 and there was a scandal in the news about Uber paying the attackers $100,000 to cover the incident up. What you may not know is that the effects of this intrusion are still rippling out four years after the events. Joe Sullivan, the former CSO for Uber was formally charged last week with crimes relating to the breach. He faces charges of obstruction of justice and misprision (or the deliberate concealment of one's knowledge of a treasonable act or a felony) in US federal court. He faces five and three year prison sentences and a maximum $250,000 for each charge.

Sullivan’s trouble is not due to security breach itself, but how he and then-CEP Travis Kalanick handled the breach. Uber was fresh off of a security intrusion in 2014 when the 2016 breach occurred. Extensive PII was disclosed as part of the breach. Sullivan was understandably upset about this, but instead of disclosing the intrusion to the FTC, privacy regulators in California and the FBI, he allegedly made extensive efforts to cover it up. The intruders were paid $100,000 in bitcoin and required to sign NDAs saying they would not disclose information about the breach. (Did they expect the intruders to honor this? Really?) Sullivan and Kalanick agreed to disguise the payment as a bug bounty, instead of an intrusion.

This actually starts to feel like a Shakespearean tragedy here as Sullivan appears to have had a solid career going on and had worked for the US District Attorney for Northern California, the same office that charged him with the crimes. Did you ever get in trouble as a kid for lying to cover up something stupid that you did? This is the same thing, but on a grander scale. Yes, I would have gotten in trouble for what I did, but I got in way more trouble for lying about it. Sullivan did the same thing and now faces the end of his career, prison time, extensive fines, and his reputation is now wrecked.

This brings me to the point for all of us in InfoSec. We have the potential to run into very bad news and no one wants us to share it. But there are definitely legal requirements now for us to do so. Covering it causes way more trouble than it is worth. While it may be very tempting in the moment to not say anything, but we can’t give into that. I haven’t been faced with something this serious in my career, but I have had some really uncomfortable situations occur. Once I had to face off a CTO I worked for over some due diligence work we were doing. It was uncomfortable and I was very aware that this may cause me some immediate job repercussions and financial difficulty. Fortunately, we worked it out. Regardless, I’m sure many of you have been in or know of folks who have been in similar situations. This story about Mr. Sullivan is reminder to all of us that giving into immediate pressures may cause us much greater trouble later.