Uber ex-CISO Charged ‘Obstruction and Misprision,’ say DoJ/FBI

Joe Sullivan, the former security honcho at Uber, stands accused of obstructing justice and covering up a crime. It all stems from a cloud security breach at Uber Technologies in 2016, which leaked the personal information of 57 million drivers.

After an FBI investigation, the U.S. Attorney’s Office’s criminal complaint alleges Uber’s CISO covered it up, pretending the hackers were actually legit bug-bounty recipients. $100,000-worth of Bitcoin hush money is said to have been involved.

AWS Builder Community Hub

How does eight years in jail sound? Mister Sullivan denies wrongdoing, and Uber agrees.

No news on former CEO Travis Kalanick’s involvement—or otherwise. In today’s SB Blogwatch, we wait to see if another shoe will drop.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: stockmarquetry.

Sullivan Charged—is Kalanick Next?

What’s the craic? Kate Conger centipedes her way along the narrative—“Former Uber Security Chief Charged With Concealing Hack”:

 The criminal charges filed in U.S. District Court in San Francisco against Joe Sullivan, 52, are believed to be the first against an executive stemming from a company’s response to a security incident. … Prosecutors said [he] committed two felonies when he didn’t disclose the 2016 incident to federal investigators who were already investigating a similar data breach … two years earlier.

He led the ride-hailing company’s security work until he was fired in 2017 when his handling of the data breach … was discovered by Uber’s newly appointed chief executive … Dara Khosrowshahi. … Uber [has] for years cultivated a reputation for pushing legal boundaries as it established itself as the leading ride-hailing company.

Sullivan could face up to eight years in prison. … A spokesman [said] Sullivan had acted with the approval of Uber’s legal department and there was no merit to the charges. … Bradford Williams, the spokesman [said] “Uber’s legal department — and not Mr. Sullivan or his group — was responsible for deciding whether … the matter should be disclosed.”

In October, Brandon Glover, a Florida resident, and Vasile Mereacre, a Canadian national, pleaded guilty to the hack. … “We continue to cooperate fully with the Department of Justice’s investigation,” said Matt Kallman, an Uber spokesman.

And Kim Lyons roars—“Former Uber security chief charged with paying hush money”:

 Uber’s former security chief has been charged with obstruction of justice [and] misprision of a felony—meaning he knew of the breach and took steps to conceal it. … Uber’s chief security officer from April 2015 to November 2017, allegedly concealed the hack that occurred in October 2016, which exposed confidential data of 57 million drivers and customers, including drivers’ license information.

According to the charges, Sullivan tried to pay the hackers via a bug bounty program, paying the $100,000 even though the company didn’t know who the hackers were. … Once Uber staff identified the hackers, Sullivan had them sign … nondisclosure agreements, which stated that the hackers didn’t take or store any of the user and driver data.

Sullivan’s spokesman Bradford Williams said … there was “no merit” to the charges … noting Sullivan is “a respected cybersecurity expert and former Assistant U.S. Attorney.” … He said Sullivan and his team “collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies.

Chapter+verse? The DoJ’s PR gnomes emit—“Former Chief Security Officer For Uber Charged”:

 “Silicon Valley is not the Wild West,” said … United States Attorney David L. Anderson. … “We will not tolerate illegal hush money payments.”

“Concealing information about a felony from law enforcement is a crime,” said … FBI Deputy Special Agent in Charge Craig D. Fair. … “We hope companies stand up and take notice.”

Uber had been hacked in September of 2014 and the FTC was gathering information about that 2014 breach. The FTC demanded responses to written questions and required Uber to designate an officer to provide testimony under oath.

According to the complaint … two hackers contacted Sullivan by email and demanded a six-figure payment in exchange for silence. [But] rather than report the 2016 breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC. … Sullivan sought to pay the hackers off by funneling [$100,000] through a bug bounty program. [And the] non-disclosure agreements … contained a false representation that the hackers did not take or store any data.

The criminal complaint also alleges Sullivan deceived Uber’s new management team about the 2016 breach: [He allegedly] removed details about the data that the hackers had taken and falsely stated that payment had been made only after the hackers had been identified.

Sullivan is charged with obstruction of justice … (18 U.S.C. § 1505) and misprision of a felony … (18 U.S.C. § 4). … All defendants are presumed innocent until proven guilty beyond a reasonable doubt.

If true, this sounds like the sort of thing an agressive, “hypergrowth” startup might do. rorykoehler swearily pontificates thuswise:

 Companies don’t give a **** about security until it’s too late.

Security is … an increasingly specialist role that startups rarely hire for because they’re focusing on survival and growth so it’s to be expected this story will repeat ad nauseam.

Checkmate? The generically-named CommunityMember thinks two moves ahead:

 When the feds indict, there is rarely doubt as to whether they have the goods to obtain a conviction. The only way to try to obtain … a reduced sentence … is to flip on someone up the food chain.

Travis Kalanick is the bigger fish. No wonder Travis has no comment (his lawyers are currently preparing the spin).

In 2018, Joe Sullivan wrote a blog post that might come back to haunt him. Among many unrelated points he makes in “Why I’m Joining Cloudflare,” he writes:

 I love working as a Chief Security Officer because every day centers around building something that makes people safer. … My best days are those where I get to see harm prevented—at Internet scale.

I’ve had the good fortune to serve on some of the best Internet security teams in the world at eBay, Facebook, and Uber—and have still fallen short of reaching an ideal state of security. … Good security is hard.

But Cloudflare CEO Matthew Prince—@eastdakota—tweets his friendly advocacy:

 Sad to see Joe Sullivan allegations. Joe’s had a distinguished career as a US Attorney & exec at eBay, PayPal, Facebook, Uber & Cloudflare.

Anytime an opportunity arose, Joe’s advocated for us to be as transparent as possible. I hope this is resolved quickly for Joe & his family.

At which, chubot waxes cynical:

 That makes sense. … CloudFlare also has a history of minimizing important security breaches—like when they sprayed their customers’ and customers’ customers’ private data all over the Internet … (Cloudbleed).

Maybe that was before this guy’s tenure, not sure. The point is that most companies do this, and users and customers should push back on it.

When breaches happen, commentators are often quick to say that execs should personally be prosecuted. So Halfmad ain’t half consistent:

 My hot take: We should be happy finally a senior manager is being legally taken to task. … Perhaps it will encourage the appropriate response and—oh I don’t know—responsibility that comes with the inflated pay.

It’s likely that the management culture is in many ways just as guilty but you can’t change that without changing the management mindset of each individual involved. If they think they are personally on the hook for these sorts of shenanigans, it’s far less likely to happen.

Why so serious?  Lighten up, will ya? raftpeople sounds slightly sarcastic:

 I’m pretty surprised by this, Uber has a long history of honest, moral and ethical dealings in all aspects of their business.

Meanwhile, don’t you hate it when you lose your account snarks it up:

 If they go to jail, will they be prisoners or self-employed inmates?

And Finally:

Yay, Jamie Lenihan’s back

Trigger warnings: Blackberry burn; IV crushing; and a couple of F-bombs

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: anon (cc:0)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi