Alleged misuse of bug bounty and failure to disclose breach leads to criminal charges

Prosecutors file additional charges against former Uber security chief over an alleged 2016 data breach cover up

Additional charges have been added to the indictment against a former Uber chief security officer over his alleged involvement in the cover-up of a hack against the ride-hailing app in 2016.

Wire fraud has joined the list of charges pending against Joseph Sullivan, 52, of Palo Alto, California over his alleged concealment of a 2016 attack that exposed 57 million user and 600,000 driver records.

The latest charges – handed down in a superseding indictment returned by a federal grand jury – add to previous charges of obstruction of justice and ‘misprision of a felony’.

Uber breach

Unauthorized attackers obtained access to the personal details of 57 million Uber users and the driving license information of around 600,000 drivers in October 2016.

BACKGROUND Uber security exec charged over 2016 data breach ‘cover-up’

The sensitive data was downloaded from a third-party cloud provider’s storage bucket and accessed by abusing credentials an Uber engineer had inadvertently posted on a code-sharing website.

According to prosecutors, Sullivan made a deal with criminal hackers to keep quiet about the breach and delete the purloined data they held in exchange for a payment of $100,000 in bitcoin to individuals who refused to offer their true name.

The two individuals involved were subsequently identified, arrested, charged, and convicted over attacks on LinkedIn and Uber.

Retrospective bug bounty

Sullivan allegedly complied with an extortionate demand for payment while disguising it as a bug bounty payment and getting the hackers to make false statements as part of fraudulent non-disclosure agreements.

As the US Department of Justice points out, bug bounties exist to spur the legitimate discovery and reporting of security issues rather than to cover the exchange of compromised data.

Read more of the latest US information security news

Californian law requires businesses operating in the state to notify residents about data breaches. The allegations of wire fraud arise form Sullivan’s alleged attempt to defraud Uber’s drivers by failing to disclose the 2016 breach.

According to prosecutors, the non-disclosure agreements falsely stated that the hackers had neither taken nor stored Uber’s data. In addition, Sullivan sent an email to Uber’s then recently appointed chief executive that characterized the affair as a routine “security incident” rather than a (more serious) data breach.

“When hacks like this occur, state law requires notice to victims,” acting US attorney Stephanie Hinds said in a US Department of Justice statement on the latest development of the closely-watched case. “Federal law also requires truthful answers to official government inquiries. The indictment alleges that Sullivan failed to do either.

“We allege Sullivan falsified documents to avoid the obligation to notify victims and hid the severity of a serious data breach from the FTC, all to enrich his company,” Hinds added.

Sullivan is charged with three counts of wire fraud, obstruction of justice, and misprision of a felony. The wire fraud charges carry a higher maximum period of imprisonment than the other offences.

Sullivan’s arraignment on the new charges is yet to be scheduled and no plea has been entered.

So Uber – which was already under investigation in relation to an earlier 2014 breach at the time of the second, similar data leak – failed to disclose the 2016 breach to consumers or regulators from the US Federal Trade Commission until November 2017, circumstances that ultimately led to censure and a $148 million data breach settlement with the FTC.

The earlier 2014 breach led to the exposure of the names and license plate data of approximately 100,000 drivers.

YOU MAY ALSO LIKE Security done right: Celebrating infosec wins in 2021