author photo
By Bruce Sussman
Fri | Aug 21, 2020 | 6:45 AM PDT

The U.S. Department of Justice just filed federal charges against Uber's former Chief Security Offier (CSO) for allegedly covering up a company data breach and bribing hackers to stay silent about the attack.

SecureWorld wrote about this case in February 2018, Uber Data Breach: 3 Things Revealed in Testimony to Congress

What is Uber's former CSO accused of doing?

Joseph Sullivan was Chief Security Officer when the U.S. Federal Trade Commission (FTC) was investigating Uber's 2014 data breach.

Shortly after Sullivan presented testimony to the FTC about that attack, hackers contacted him and revealed a new attack involving the theft of data on 57 million Uber users and drivers.

The U.S. Attorney for Northern California says Sullivan then covered up that crime so the world, including the FTC, would not find out about it:

Rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC. For example, Sullivan sought to pay the hackers off by funneling the payoff through a bug bounty program—a program in which a third party intermediary arranges payment to so-called "white hat" hackers who point out security issues but have not actually compromised data.  

Uber paid the hackers $100,000 in Bitcoin in December 2016, despite the fact that the hackers refused to provide their true names.  In addition, Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data.  

When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements. Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained.  

Uber's new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017. 

What is law enforcement saying about the Uber data breach scandal?

U.S. Attorney David Anderson says this should be a message to companies:

"Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments."

And FBI Special Agent Craig Fair specifically addressed the hacking angle of this bizarre cover-up:

"Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people's personal data."   

Uber's Former CSO now faces a maximum jail sentence of eight years if he is convicted on the charges against him which includes obstruction of justice.

Did the Uber breach cover-up hurt the reputation of security research?

To many, this case caused confusion.

Uber's former CSO claimed to be paying a bug bounty to security researchers who found a vulnerability. But according to the new charges, this was actually a bribe to criminal hackers—hush money in exchange for their silence.

Casey Ellis, CTO and Founder of Bugcrowd, say this breach of ethics has deeply influenced how many view the non-criminal hacker community.

"Unfortunately, this incident has also negatively influenced the public's perception of the hacker community, and of bug bounties in general. Historically, hackers were strictly viewed as malevolent, but the industry's understanding of ethical hackers within the industry has progressed within the last few years to include the much larger community.

In fact, there's a global community of ethical hackers who operate above board and in good faith, and are committed to helping organizations improve their security posture."

And Ellis says we need this group of white hat hackers, possibly more than ever. And they need the backing of information security leadership:

"As leaders within the cybersecurity space, we have a moral obligation to support the next generation of Internet defenders as they advance the ethical hacker community forward. We must band together to fight the masses of bad actors by empowering the hackers that operate with integrity, and protecting them and their work."

Here is more on the charges against the former Uber CSO.

Comments