Cyber’s New Paradigm: The Higher the Trust Level, The Lower the Trust
Joseph Sullivan, the former Chief Security Officer of Uber Technologies, Inc. (“Uber”), was convicted on Wednesday, October 5, 2022, on charges of covering up a data breach. According to court records, While Sullivan was hired as Uber’s Chief Security Officer (“CSO”) in April 2015 he was involved in two hacks: one in 2014 and another in 2016. When Sullivan was hired, Uber disclosed to the FTC that it had been the victim of a data breach in 2014 and that the breach was related to the unauthorized access of approximately 50,000 consumers’ personal information, including their names and driver’s license numbers.
In May 2015, the month after Sullivan was hired, the FTC served a detailed Civil Investigative Demand on Uber demanding extensive information about any other instances of unauthorized access to user personal information, and information regarding Uber’s broader data security program and practices. In his new role as CSO, Sullivan supervised Uber’s responses to the FTC’s questions, participated in a presentation to the FTC in March 2016, and testified under oath, at length, to the FTC on November 4, 2016, regarding Uber’s data security practices. Sullivan’s testimony included specific representations about steps he claimed Uber had taken to keep customer data secure.
Ten days after his FTC testimony, Sullivan learned that Uber had been hacked again. The hackers reached out to Sullivan directly, via email, on November 14, 2016. The hackers informed Sullivan and others at Uber that they had stolen a significant amount of Uber user data, and they demanded a large ransom payment from Uber in exchange for their deletion of that data. Employees working for Sullivan verified the accuracy of these claims and the massive theft of user data, which included records on approximately 57 million Uber users and 600,000 driver license numbers.
After learning the extent of the 2016 breach and rather than reporting it to the FTC, or any other authorities, Sullivan told a subordinate that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist.” Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack. Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers had refused to provide their true names. Uber was ultimately able to identify the two hackers in January of 2017 and required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else. Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies.
Despite knowing that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them. Instead, he touted the work that he and his team had done on data security. Uber ultimately entered into a preliminary settlement with the FTC in the summer of 2016, supported fully by Sullivan, without disclosing the 2016 data breach to the FTC.
In the Fall of 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. At the time Sullivan lied, falsely telling the new CEO that the hackers had only been paid after they were identified and deleted from a draft summary prepared by one of his reports that the hack had involved personally identifying information and a very large quantity of user data. Sullivan lied again to Uber’s outside lawyers conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017.
In finding Sullivan guilty, the jury concluded he obstructed justice, and that he knew that a federal felony had been committed and took affirmative steps to conceal that felony.
A Teaching Moment. I often argue that a security professional’s worse nightmare is the Inside Threat: Insiders with motive have Motive, Means and Opportunity (MOM) to commit a crime. In Sullivan’s case, the Inside Threat is a second order effect and not too bright: He brought his subordinates on board with no visible incentive, other than the implicit threat of being fired. Yesterday, the FBI Boston Office released a “Trust In Me” public service announcement. During the announcement, Joseph R. Bonavolonta, Special Agent in Charge of the FBI Boston Division said “The first step towards protecting yourself from cyber incidents is to develop a relationship with the FBI. Doing so enables you to identify who to call in the event you do suffer a cyber incident, granting quick and efficient access to our rich network of resources. Cybersecurity is national security, and by working together and reporting these incidents to us, you are working to help prevent these bad actors from victimizing others, and potentially from re-victimizing you.” I disagreed with Mr. Bonavolonta then and now. With all due respect to Special Agent Joseph R. Bonavolonta, the first step towards protecting yourself from cyber incidents is not to develop a relationship with the FBI. While a relationship with the FBI is important, given the trust and competency issues: . For example, The FBI’s Cyber Guardian system “rather than a beacon of trust, as the moniker implies, an audit report from the Justice Department’s internal watchdog paints a picture of a guardian that is not dependable, given to simple errors and late with needed information.” The FBI’s email servers were previously hacked, resulting in spam emails being sent to the public that appeared to be from the agency and the Department of Homeland Security. Instead, we first recommend a review of the $1.00 fence for the $1,000 horse. There are two types of businesses; Those that know they have been victims of security breaches and those that don’t. Why it is important to identify and prioritize the stored information aka as intellectual property. We also suggest a paradigm change: The higher the trust level in your computer, the least trust. The people you trust the most, are the most dangerous. This is known as the Inside Threat, which we have been preaching for years, but the FBI often leaves out: In remarks prepared April 27, 2022, for delivery to the Domestic Security Alliance Council, FBI Director Christopher Wray finally referred to the Inside Threat and made it clear the counterintelligence threat posed by China is top of mind and ” nothing presents a broader, more severe threat to our ideas, our innovation, and our economic security than the People’s Republic of China.”.
Number three, develop a relationship with the FBI. In the Uber case, bringing in Mr. Sullivan to Uber at the highest level of trust, management should have treated him with the least trust. The accounting issue should have been a big red flag for management as Uber paid the hackers $100,000 in bitcoin in December 2016. Who signed off on the payment? Where were the lawyers?