Sit back and listen to the story of Joe Sullivan, Uber’s former Chief Security Officer (CSO) and his cover up of a data breach landing him… probation?
This was a highly publicized case where a corporate executive (Joe Sullivan) used his powers to cover up a data breach at Uber. The timing of this data theft was bad, as Uber was already in the spotlight for a 2014 breach:
Sullivan, according to court documents [PDF], learned of the theft in November 2016, about 10 days after providing testimony to the US Federal Trade Commission about a 2014 cyberattack on Uber. Concerned that another data security breach would harm the company, Sullivan tried to cover up that 2016 heist.
https://www.theregister.com/2023/05/04/uber_cso_joe_sullivan_sentenced/
Two hackers, Brandon Charles Glover and Vasile Mereacre, were to blame for this most recent data theft. The pair extorted Uber for $100,000 and Uber paid! Glover and Mereacre have since pled guilty to one count of conspiracy to commit extortion involving computers.
Even though Uber paid, Sullivan declared the payment part of Uber’s bug bounty program. At the time, Uber’s bug bounty program had never paid more than $10,000 for a bug. This was the cover up from the FTC for which Sullivan was sentenced.
So what was Sullivan’s sentence after a jury found him guilty? Three years of probation and a $50,000 fine.
Further Reading:
- https://www.courtlistener.com/docket/18414184/united-states-v-sullivan/
- https://www.courtlistener.com/docket/8082324/united-states-v-glover/
- https://www.courtlistener.com/docket/8085057/united-states-v-glover/
- https://www.courtlistener.com/docket/8100374/united-states-v-glover/
- https://www.courtlistener.com/docket/67109153/united-states-v-glover/
- https://www.courtlistener.com/docket/8082304/united-states-v-mereacre/
- https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach
- https://www.justice.gov/usao-ndca/pr/florida-man-and-canadian-national-plead-guilty-hackingextortion-conspiracy
- https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-sentenced-three-years-probation-covering-data
- https://www.justice.gov/usao-ndca/united-states-vs-joseph-sullivan
- https://www.theregister.com/2023/05/04/uber_cso_joe_sullivan_sentenced/
- https://regmedia.co.uk/2023/05/04/us_attys_sentencing_memo_joe_sullivan.pdf
- https://www.theregister.com/2022/10/06/uber_cso_sullivan_guilty/
- https://www.theregister.com/2020/08/20/uber_sullivan_concealment_charges/
- https://regmedia.co.uk/2023/05/04/joe_sullivan_indictment.pdf
- https://www.theregister.com/2019/10/30/hackers_guilty_extortion/
Transcript:
[00:00:00] Keith: Hey, sit back and listen to the story of Joe Sullivan, who is Uber’s former chief security officer and his coverup of a data breach landing him in probation. We’ll see you soon on eCrimeBytes Nibble number 36.
[00:00:55] So this is a highly publicized case where a corporate executive named Joe Sullivan used his powers to cover up a data breach at Uber. It was the timing of this data breach that was bad. Now see, Uber was already in the spotlight for a data breach that happened in 2014. So I was looking through the research of this case and the register had a a news clipping.
[00:01:20] That I quoted in my blog. It says Sullivan, according to court documents learned of the theft in November of 2016, which is two years after the first breach, or about 10 days after providing testimony to the US Federal Trade Commission about a 2014 attack on Uber, concerned that another data security breach would harm the company.
[00:01:44] Sullivan tried to cover that up. He tried to cover up that. 2016 heist. So I did a little more research and it looks like there are two hackers here named Brandon Charles Glover, and the second one is Vasile Mereacre And I apologize if I mispronounce that, but that’s the best. M E r e A c r E, Mereacre Were to blame for this most recent data theft. The pair extorted Uber for a hundred thousand dollars and Uber paid. Now Glover and Mereacre ha have since plead guilty to one count of conspiracy to commit extortion involving computers.
[00:02:33] So that’s one piece of the puzzle. Now, if you were to stop there, that’s a typical breach. Sullivan went one step further. So even though Uber paid, instead of saying I paid a ransom or something along those lines, Uber said we paid a bug bounty to somebody. Now, at the time, Uber’s Bug Bounty program had never paid more than $10,000 on a bug.
[00:03:01] So this is 10 times that amount for this breach, and he basically tried to sweep that under the rug by saying, okay, this is actually a bug that we’re paying for when in act, when in reality, that’s, that wasn’t the case. Sullivan had his time through the court system and at the end of the day, Sullivan’s sentence, what was it?
[00:03:26] Ended up being three years of probation, a $50,000 fine. So it doesn’t look like he’s gonna spend any time in prison for it, and he has to pay a fine for it, which I imagine if you’re an executive of his stature, a $50,000 fine is probably. Assuming he’s still working, I imagine it’s probably not that big of a fine.
[00:03:47] It’s a $50,000 fine to a layman on the other hand, could wipe a person out. You judge on how bad that punishment was. So if you enjoy this quick eCrimeBytes nibble where I take a case and just talk about it for a couple of minutes. You will definitely enjoy our eCrimeBytes full-length episodes where we take a case like this and we talk about it for 30 to 60 minutes, and we talk a little more in depth on the crime, the technical means behind the crime.
[00:04:14] Any interesting or humorous scenarios that we find along the way. And we put it into a storyline that’s most of the time chronological, and we just walk you through these crimes. Each true crime story and we tell you as much as we can find out about it from court documents. So you know, the real firsthand knowledge of these cases, not even taking it from news articles.
[00:04:39] So again, if you like these real quick eCrimeBytes updates, you will definitely like our longer episodes and I really hope to see you over there on one of our longer episodes soon. Thanks. Bye.
Leave a Reply