In a rare move, federal prosecutors have lodged a criminal complaint against the former chief security officer of Uber Technologies Inc., alleging he deliberately concealed a second hack of Uber’s sensitive data and allowed the hackers to continue infiltrating others’ corporate data systems and stealing personal data.
According to the criminal complaint filed Aug. 19, Uber CSO Joseph Sullivan was responsible for purposely hiding information from a Federal Trade Commission investigation. The agency was investigating Uber in 2016 for, among other things, alleged unreasonable security practices that resulted in a May 2014 data breach that exposed the personal and sensitive information of upwards of 100,000 people. But the complaint alleges that during that investigation, and while subject to a civil investigative demand (CID) from the FTC, Uber experienced another data breach in the fall of 2016 that it not only didn’t disclose, but also took complex, affirmative steps to hide from the FTC and the public. The second breach, exploiting the same vulnerability as the first, compromised the names and driver’s licenses of some 600,000 people and at least some personal information associated with roughly 57 million consumers and drivers.
The charges against Sullivan for obstruction of justice and misprision of a felony seek to hold him responsible not only for interfering in the FTC’s investigation, but also for failing to alert authorities about the hackers involved in the second breach—despite learning their identities—and instead paying them $100,000 in bitcoin.
While these may well be the first felony charges against a corporate officer for his response to a data breach, it’s a fairly stark reminder of the long-known fact that deliberately misleading enforcers during an investigation, or seeking to hide information, is a bad idea. The consequences of failing to comply with a civil investigative subpoena can be much worse than the fallout from disclosing even damaging information subject to the order.
Fool Me Once ...
The FTC issued a CID to Uber in May 2015, about one year after the first breach. Apparently, Uber permitted its engineers to use a single access key that provided full administrative access to its server data, which was stored unencrypted on an Amazon Web Services platform. Because keys are sometimes included in code, an engineer accidentally posted that skeleton key in a code string to GitHub, a public code-sharing site. During an internal investigation after the second breach, Uber’s engineers discovered that the key hadn’t been rotated since it was created in 2013: In other words, anyone with access to that key, inside or outside the company, had untrammeled access to Uber’s unencrypted, stored backup data on Amazon’s platform at the time of the second breach.
Sullivan found out about the second breach about 10 days after he was deposed for the corporation in the FTC’s investigation and while the agency’s broad CID was open. According to the criminal complaint, he was “visibly shaken” when he learned that the underlying “door” to the company’s data was still wide open and had been accessed a second time.
Sullivan allegedly hid the breach, keeping the investigation and efforts to fix the issue hidden even within the company. As an active participant in the company’s responses to the FTC, he also repeatedly signed off on responses by Uber’s outside counsel to the FTC that he knew were not true, the complaint alleges.
As part of his efforts to keep the second breach secret, Sullivan allegedly paid two hackers their demanded amount of $100,000, but routed it through the company’s “bug bounty” program that rewards white-hat hackers for pointing out security flaws to the company rather than exploiting them. According to the complaint, he allowed the hackers to take that bounty anonymously, but had them sign a nondisclosure agreement, which they did using fake names. When his team later identified the hackers, he did not report them.
The hackers, Vasile Mereacre and Brandon Glover, pleaded guilty to hacking the data of another company on Amazon’s web platform (not long after they allegedly hacked Uber) and attempting to use that data to extort money from LinkedIn Corp. They await sentencing in California federal court on those charges.
Uber Pays Penalty
The FTC had negotiated a settlement agreement with Uber ending the investigation in August 2017, but it was not yet final when Uber’s new CEO learned of the 2016 breach and informed the FTC in November 2017. The new CEO also fired Sullivan.
The FTC withdrew the settlement and entered a new consent order with Uber that included additional, broader monitoring and reporting requirements. Uber also paid $148 million to settle a lawsuit brought by state attorneys general related to the breach. Dutch and U.K. regulators also fined Uber for failing to disclose the breach as required by the law of those jurisdictions.
Federal prosecutors don’t bring a lot of criminal complaints alleging obstruction of justice during agency proceedings.
In the past 12 months, only seven criminal cases have been brought under 18 U.S.C. § 1505 for obstruction of an agency proceeding, according to Bloomberg Law dockets. Bloomberg Law dockets show just 14 criminal cases brought under the statute during the 12 months before that.
Furthermore, this appears to be the first time a criminal case for obstruction has been brought for hiding a data breach in the U.S. But it may not be the last: Many regulators are getting tougher on companies that try to hide or destroy evidence during an investigation. Companies can expect enforcers to take a dim view of any attempts to hide evidence subject to a CID, and there are no guarantees that the resulting penalties will stay “civil,” especially if the facts are egregious.
As is so often the case, the cover-up could be at least as damaging as the data breach. It bears repeating: When something bad happens and an enforcement agency comes knocking, withholding relevant information is profoundly dangerous for the company and for those involved.