When former Uber CSO Joe Sullivan was charged earlier this month for his alleged role in the Uber data breach cover-up, it was the latest in a series of events for the ride-sharing company that date back to 2014.
Sullivan, who is currently CSO of Cloudflare, was charged with one count of obstruction of justice and one count of misprision of a felony in connection with the Uber’s response to the 2016 data breach. Prosecutors claim he orchestrated the cover-up by paying $100,000 in “hush money” to the threat actors behind the breach and disguising the payment as a bug bounty reward. The objective, according to the criminal complaint against Sullivan, was to conceal the 2016 Uber breach from both the public and the U.S. Federal Trade Commission (FTC), which was investigating Uber over an earlier data breach.
The Uber data breach cover-up and the case against Sullivan feature numerous important dates and developments, according to court documents and statements from FTC. Here’s a look at some of the major dates:
May 12, 2014: Threat actors access personal data of Uber customers and drivers contained in an AWS S3 bucket. The attackers used an AWS access key that was publicly posted to GitHub and obtained information that included 100,000 drivers’ names, driver’s license numbers, physical addresses, email addresses and other data.
September 2014: Uber’s security team discovers the intrusion and begins investigating the incident.
February 2015: Uber sends breach notifications to its drivers and also discloses the attack to the FTC, which begins an investigation into the incident.
April 2, 2015: Uber hires Joe Sullivan as its first CSO. Sullivan previously served as Facebook’s CSO for five years.
Nov. 4, 2016: Sullivan provides sworn testimony to the FTC regarding its investigation into the 2014 breach, which predated his arrival at the company. Sullivan testified about Uber’s use of AWS S3 storage buckets, as well as data privacy practices to safeguard information stored in those buckets.
Nov. 14, 2016: Sullivan receives an email from anonymous threat actors claiming they exploited a “major vulnerability” and obtained access to an Uber database. Uber’s security team investigates the claim and discovers attackers used stolen GitHub credentials to access Uber’s private code repository, where they found AWS credentials and accessed an S3 bucket with the database.
Nov. 15, 2016: Sullivan contacts then-CEO Travis Kalanick about a “sensitive” matter, according to records of text messages. Kalanick spoke with Sullivan and then sent a text message discussing how the matter could be treated “as a [bug] bounty situation.”
Dec. 8, 2016: Using HackerOne’s bug bounty platform, Uber authorizes a $100,000 payment to the threat actors behind the breach, who later sign non-disclosure agreements regarding the incident.
January 2017: Uber’s security team identifies the threat actors behind the breach.
April 19, 2017: Uber sends a letter to the FTC requesting the commission close its investigation into the company’s 2014 data breach. The letter states that Uber had fully cooperated with the FTC and provided “exhaustive” responses to investigators’ inquiries, while also claiming Uber’s security team had implemented “numerous and extensive additional protections” for data stored in its S3 buckets to prevent a repeat of the 2014 incident. The letter does not disclose the 2016 breach.
June 21, 2017: Kalanick steps down as CEO of Uber following several scandals.
Aug. 15, 2017: Uber and the FTC agree to a proposed settlement regarding the company’s 2014 breach, as well as claims that Uber employees had improperly accessed customers’ personal information. The settlement prohibits Uber from misrepresenting its security practices and requires the company to implement a comprehensive privacy program and to undergo third-party audits every two years for the next 20 years.
Aug. 29, 2017: Uber names Dara Khosrowshahi as its new CEO.
September 2017: Sullivan is asked to brief Khosrowshahi about the 2016 Uber data breach. However, according to court documents, Sullivan’s briefing omits key details about the breach.
Nov. 21, 2017: In an open letter, Khosrowshahi discloses the 2016 breach with an apology for not disclosing the incident earlier. On the same day, Bloomberg first reports that Sullivan and Craig Clark, a senior lawyer on Sullivan’s team, were fired for concealing the breach and paying off the hackers.
April 12, 2018: The FTC announces it has withdrawn the proposed settlement with Uber regarding the 2014 data breach and criticizes the company for concealing the 2016 breach during its initial investigation.
May 16, 2018: Cloudflare hires Sullivan as its new CSO.
Aug. 2, 2018: A grand jury indicts Brandon Charles Glover and Vasile Mereacre with attempted extortion from Lynda.com (now LinkedIn Learning), an online employment training and education service. Glover and Mereacre are accused of gaining access to 90,000 Lynda accounts and demanding payment from LinkedIn in December 2016.
Sept. 26, 2018: Uber agrees to a settlement with the attorneys general of all 50 states and the District of Columbia regarding the 2016 data breach. Uber agrees to pay a record $148 million penalty for concealing the breach.
Oct. 26, 2018: The FTC approves a revised settlement with Uber. The company is subject to civil penalties for any failures to disclose future breaches or security incidents involving unauthorized access to customer and driver data.
Oct. 30, 2019: The Department of Justice announces that Glover and Mereacre, then 26 and 23, each pleaded guilty to conspiracy to commit extortion in a superseding indictment related to the Uber data breach. The two men admit Uber paid them $100,000 via HackerOne under the guise of a bug bounty.
Aug. 27, 2020: Sullivan is charged with one count of obstruction of justice and one count of misprision of a felony. Authorities claim Sullivan covered up the 2016 breach from the public and the FTC in an effort to obstruct the FTC’s investigation into Uber’s security practices.
*by Rob Wright via Search Security*