A leading CISO, Joe Sullivan — most recently at Cloudflare and previously with Uber, Facebook — has been charged by US prosecutors with obstruction of justice and deliberately concealing a felony following a 2016 incident at Uber that saw the personal information of millions of customers stolen.
The complaint alleges that Sullivan tried to pass the incident — in which an AWS database containing personal details of 57 million Uber customers was stolen by the hackers — off as a legitimate intrusion conducted under a bug bounty programme — paying them $100,000 in BitCoin to keep quiet.
The Department of Justice claims that Sullivan took “deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach”, hiding the fact that the hackers had stolen the database and making them sign a non-disclosure agreement (NDA) despite not initially having their names.
After his team took action to actively track down and identify the two, Uber had them sign updated NDAs under their real names, which “contained a false representation that the hackers did not take or store any data”, the complaint alleges.
(The hackers had breached Uber by accessing its source code on GitHub using stolen credentials, located AWS credentials in the code and popped an S3 bucket containing the database as a result; poor key management was central both to the 2016 incident and an early 2014 hack suffered by Uber, the complaint notes.)
CISO Charged: “Silicon Valley is Not the Wild West”
US Attorney David Anderson said: “Silicon Valley is not the Wild West.”
He added: “We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups.”
“Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data. When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements,” prosecutors said.
” The new agreements retained the false condition that no data had been obtained. Uber’s new management ultimately discovered the truth and disclosed the breach publicly, and to the FTC, in November 2017.”
Two months after Uber hired a new CEO in August 2017, the company disclosed the breach to federal authorities — with Uber subsequently firing Sullivan and a security attorney assigned to his team, the complaint reveals.
The two hackers identified by Uber — Brandon Charles Glover, 26, and Vasile Mereacre, 23, were prosecuted in the Northern District of California. Both pleaded guilty on October 30, 2019 to computer fraud conspiracy charges.
Sullivan’s spokesman Bradford Williams says that the two would not have been identified at all if it were not for the actions of Sullivan and his team: “From the outset, Mr Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies.
“Those policies made clear that Uber’s legal department — not Mr Sullivan or his group — was responsible for deciding whether, and to whom, the matter should be disclosed.”
Sullivan, 52, previously worked as a prosecutor in the same federal office that brought the charges against him. Critics say irrespective of corporate policies, he should have known that the incident needed disclosing. Allies say he has been thrown under the bus and is the scapegoat for broader executive failings at Uber during the period.
Despite this, as one observer noted: “The Fortune 100 companies I’ve worked Incident Response for and every publicly traded company that’s ever paid a ransom to get their files back should be sweating bullets right now however”.
Cloudflare CEO Matthew Prince Tweeted: “Sad to see Joe Sullivan allegations. Joe’s had a distinguished career as a US Attorney & exec at eBay, PayPal, Facebook, Uber & Cloudflare. Anytime an opportunity arose, Joe’s advocated for us to be as transparent as possible. I hope this is resolved quickly for Joe & his family.”