November 26, 2020


Connecting People

The Uber data breach cover-up: A timeline of events

When former Uber CSO Joe Sullivan was billed previously this thirty day period for his alleged job in the Uber information breach cover-up, it was the newest in a sequence of events for the trip-sharing company that day again to 2014.

Sullivan, who is presently CSO of Cloudflare, was billed with a single count of obstruction of justice and a single count of misprision of a felony in connection with the Uber’s response to the 2016 information breach. Prosecutors assert he orchestrated the cover-up by spending $100,000 in “hush funds” to the danger actors powering the breach and disguising the payment as a bug bounty reward. The objective, in accordance to the felony grievance in opposition to Sullivan, was to conceal the 2016 Uber breach from the two the public and the U.S. Federal Trade Fee (FTC), which was investigating Uber in excess of an previously information breach.

The Uber information breach cover-up and the case in opposition to Sullivan characteristic various essential dates and developments, in accordance to court documents and statements from FTC. This is a look at some of the important dates:

Could 12, 2014: Risk actors obtain own information of Uber buyers and motorists contained in an AWS S3 bucket. The attackers employed an AWS obtain crucial that was publicly posted to GitHub and attained details that included 100,000 drivers’ names, driver’s license quantities, bodily addresses, e-mail addresses and other information.

September 2014: Uber’s stability team discovers the intrusion and starts investigating the incident.

February 2015: Uber sends breach notifications to its motorists and also discloses the attack to the FTC, which starts an investigation into the incident.

April two, 2015: Uber hires Joe Sullivan as its to start with CSO. Sullivan previously served as Facebook’s CSO for 5 many years.

Nov. 4, 2016: Sullivan gives sworn testimony to the FTC pertaining to its investigation into the 2014 breach, which predated his arrival at the company. Sullivan testified about Uber’s use of AWS S3 storage buckets, as very well as information privacy techniques to safeguard details saved in those buckets.

Nov. fourteen, 2016: Sullivan gets an e-mail from nameless danger actors professing they exploited a “important vulnerability” and attained obtain to an Uber database. Uber’s stability team investigates the assert and discovers attackers employed stolen GitHub qualifications to obtain Uber’s personal code repository, where they observed AWS qualifications and accessed an S3 bucket with the database.

Nov. 15, 2016: Sullivan contacts then-CEO Travis Kalanick about a “sensitive” make any difference, in accordance to documents of textual content messages. Kalanick spoke with Sullivan and then despatched a textual content concept discussing how the make any difference could be handled “as a [bug] bounty condition.”

Dec. 8, 2016: Making use of HackerOne’s bug bounty system, Uber authorizes a $100,000 payment to the danger actors powering the breach, who afterwards signal non-disclosure agreements pertaining to the incident.

January 2017: Uber’s stability team identifies the danger actors powering the breach.

April 19, 2017: Uber sends a letter to the FTC requesting the fee close its investigation into the firm’s 2014 information breach. The letter states that Uber had entirely cooperated with the FTC and presented “exhaustive” responses to investigators’ inquiries, while also professing Uber’s stability team had implemented “various and in depth supplemental protections” for information saved in its S3 buckets to protect against a repeat of the 2014 incident. The letter does not disclose the 2016 breach.

June 21, 2017: Kalanick steps down as CEO of Uber subsequent numerous scandals.

Aug. 15, 2017: Uber and the FTC agree to a proposed settlement pertaining to the firm’s 2014 breach, as very well as promises that Uber personnel had improperly accessed customers’ own details. The settlement prohibits Uber from misrepresenting its stability techniques and necessitates the company to put into action a detailed privacy software and to undergo 3rd-get together audits just about every two many years for the next 20 many years.

Aug. 29, 2017: Uber names Dara Khosrowshahi as its new CEO.

September 2017: Sullivan is questioned to short Khosrowshahi about the 2016 Uber information breach. Nonetheless, in accordance to court documents, Sullivan’s briefing omits crucial particulars about the breach.

Nov. 21, 2017: In an open up letter, Khosrowshahi discloses the 2016 breach with an apology for not disclosing the incident previously. On the exact working day, Bloomberg to start with reports that Sullivan and Craig Clark, a senior lawyer on Sullivan’s team, ended up fired for concealing the breach and spending off the hackers.

April 12, 2018: The FTC announces it has withdrawn the proposed settlement with Uber pertaining to the 2014 information breach and criticizes the company for concealing the 2016 breach throughout its initial investigation.

Could 16, 2018: Cloudflare hires Sullivan as its new CSO.

Aug. two, 2018: A grand jury indicts Brandon Charles Glover and Vasile Mereacre with tried extortion from (now LinkedIn Studying), an on the internet employment schooling and schooling company. Glover and Mereacre are accused of gaining obtain to ninety,000 Lynda accounts and demanding payment from LinkedIn in December 2016.

Sept. 26, 2018: Uber agrees to a settlement with the attorneys general of all 50 states and the District of Columbia pertaining to the 2016 information breach. Uber agrees to pay a document $148 million penalty for concealing the breach.

Oct. 26, 2018: The FTC approves a revised settlement with Uber. The company is topic to civil penalties for any failures to disclose upcoming breaches or stability incidents involving unauthorized obtain to buyer and driver information.

Oct. thirty, 2019: The Office of Justice announces that Glover and Mereacre, then 26 and 23, each individual pleaded responsible to conspiracy to commit extortion in a superseding indictment connected to the Uber information breach. The two adult males acknowledge Uber paid them $100,000 by using HackerOne less than the guise of a bug bounty.

Aug. 21, 2020: Sullivan is billed with a single count of obstruction of justice and a single count of misprision of a felony. Authorities assert Sullivan coated up the 2016 breach from the public and the FTC in an effort and hard work to obstruct the FTC’s investigation into Uber’s stability techniques.