This episode explores the rise and controversies of Uber, including its inception, expansion, rebranding, leadership changes, autonomous vehicle program, protests, toxic culture, and legal troubles. It also delves into the significance of a major data breach and the trial of Joe Sullivan, Uber's former chief security officer, who faces criminal charges for concealing the breach.
The episodes have two (2) parts and Part 2 concludes with a discussion on the latest data breach and its implications.
Takeaways
Chapters
PART 1
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
This episode explores the rise and controversies of Uber, including its inception, expansion, rebranding, leadership changes, autonomous vehicle program, protests, toxic culture, and legal troubles. It also delves into the significance of a major data breach and the trial of Joe Sullivan, Uber's former chief security officer, who faces criminal charges for concealing the breach.
The episodes have two (2) parts and Part 2 concludes with a discussion on the latest data breach and its implications.
Takeaways
Chapters
PART 1
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
What Happened at UBER. Part 1
UBER Part 2: How Security Leaders Can be Liable
Main Topics: what happened at uber, how cyber security leaders can be liable, the uber crime story, story of the rise and fall of uber, story of rise and fall of uber, story of uber security leader, joseph sullivan story, story of joseph Sullivan, story of uber data breach, why uber failed to disrupt, what scandals happened at uber, can cyber security leaders be liable,
Summary
This episode explores the rise and controversies of Uber, including its inception, expansion, rebranding, leadership changes, autonomous vehicle program, protests, toxic culture, and legal troubles. It also delves into the significance of a major data breach and the trial of Joe Sullivan, Uber's former chief security officer, who faces criminal charges for concealing the breach.
The episodes have two (2) parts and Part 2 concludes with a discussion on the latest data breach and its implications. This conversation discusses the Uber breach and the ongoing trial of Joseph Sullivan, the former chief security officer of Uber The conversation explores how the hacker gained access and the potential ways the breach could have been prevented. The trial of Joseph Sullivan is also discussed, with differing opinions on his actions and the verdict. The conversation highlights the impact of the breach and trial on the cybersecurity community.
Takeaways
· Uber revolutionized the transportation industry globally but faced numerous controversies, protests, and legal challenges.
· The company experienced leadership upheavals, a toxic culture, and lawsuits from drivers and passengers.
· Uber's autonomous vehicle program and Uber Eats were successful initiatives amidst the challenges.
· A major data breach and the trial of Joe Sullivan highlight the importance of handling data breaches transparently and complying with reporting requirements. The Uber breach involved an 18-year-old hacker who gained access to sensitive information and posted screenshots online.
· The breach raises questions about the effectiveness of security measures and the need for regular penetration testing.
· The ongoing trial of Joseph Sullivan, the former chief security officer of Uber, highlights the potential personal liability of cybersecurity leaders.
· The breach and trial have had a significant impact on the cybersecurity community, leading to a reevaluation of roles and responsibilities.
Chapters
PART 1
00:00 Introduction
02:06 The Inception of Uber
04:03 Uber's Expansion and Rebranding
05:31 Leadership Changes and Controversies
08:25 Autonomous Vehicles and Uber Eats
09:51 Lawsuits and Controversies
11:46 Uber's Autonomous Car Program
13:10 Protests and Controversies
14:31 Toxic Culture and Leadership Changes
16:32 Data Breach and Legal Troubles
21:00 Significance of the Data Breach and Trial
29:18 Discussion on the Latest Data Breach
30:03 Questions Raised & New Charges Against Sullivan
33:08
PART 2
1:01 Trial of Joseph Sullivan
2:01 Uber's Awareness of the Breach
3:00 Hacker's Access and Screenshots
4:19 How the Hacker Gained Access
7:15 Understanding Hackers
13:40 Multifactor Authentication Fatigue
15:34 Moving Laterally and Pivoting
17:26 Access to Uber's Systems
18:23 Access to Cloud Services
23:20 Bug Bounty Program
25:14 Hacker's Boastful Behavior
26:12 Prevention and Penetration Testing
29:02 Ongoing Trial of Joseph Sullivan
30:28 Previous Breach and Payment to Hackers
33:23 Charges Against Joseph Sullivan
35:18 Testimony of Uber CEO
36:46 Testimony of Former In-House Counsel
39:41 Turning the Breach into a Bug Bounty
43:08 Defense's Argument
45:04 Verdict and Sentencing
46:00 Impact on the Cybersecurity Community
TRANSCRIPT:
Dino Mauro (00:03.278)
This story begins where all great ones begin, on a rainy warm night in Paris. The inception of the Silicon Valley tech startup, one which the world has never seen before or since. It changed the world as we know it, despite its explosive growth, the many scandals, and the fact that it was illegal in many parts of the world and cities where it would first open up.
Uber has arguably disrupted the transportation industry globally, a first of its kind. It also has a cyber crime story built into it and an historical landmark legal case where the tech company's own head of cybersecurity, Joseph Sullivan, a former federal prosecutor himself, would wind up being indicted by a federal grand jury.
taken to trial and found guilty. We walk you through it all from start to finish. This is the story of what happened at Uber and how cybersecurity leaders can be liable. Come join us as we dive deeper behind the scenes of security and cyber crime today. Interviewing top technology leaders from around the world and sharing true cyber crime stories to raise awareness.
from the creators of Vigilance, the newest global technology newsletter translating cyber news into business language we all understand. So please help us keep this going by subscribing for free to our YouTube channel and downloading our podcast episodes on Apple and Spotify so we can continue to bring you more of what matters. This is Cyber Crime Junkies, and now, the show.
Dino Mauro (02:06.702)
The Dave's story got more interesting the more we dove into it. David, why don't you walk us through it? So let's rewind back to 2008. Two friends, Travis Kalanick and Garrett Camp, were attending LeWeb in Paris, France. LeWeb is an annual tech conference. It's been described like in The Economist as where revolutionaries gather to plot the future. Back in 2007, both of them had sold startups.
And so they had a lot of cash reserves. They had co -founded both of them. Kalanick had sold Red Swoosh to Akamie Technologies for 19 million and Camp had sold StumbleUpon, which if you remember that back in the day, he'd sold that to eBay for 75 million. So rumor has it that the concept for Uber was born like at night during a conference when the two of them couldn't get a cab.
Initially the idea was for a timeshare limo service that could be ordered by a mobile app. And after the conference, the entrepreneurs went their separate ways. But when Camp got back to San Francisco, he continued to be fixated on that idea and then even bought the domain ubercab .com. Interesting. The concept was innovative. Order a custom ride from a simple phone app with a push of a button.
Through GPS coordinates, be able to see where the car is, information on the driver, and have it pop up anywhere you are without having to hail a traditional cab, which could be hit or miss based on many factors. All the costs which, while slightly more than a traditional cab, was automatically charged with tip, et cetera, through the app to your credit card. In June 2010, Uber Cab, launched in San Francisco, quickly became a huge hit among Bay Area techies.
Here's even a screenshot of the original app. Podcast listeners can see it on our site or in the notes. That is so cool. UberCab was off and running. They closed a $1 .25 million seed funding round from first round capital with investors Jason Galcenas, Kellanick's friend Chris Sacca and Napster co -founder Sean Fannie. Then in October 2010, UberCab rebranded itself.
Dino Mauro (04:32.558)
It became known as we know it now, Uber. So the reason this matters is because they changed the name to avoid the company marketing itself too much like a taxi business. See, tensions were high with the taxi industry. Every location the company went into. This would be a recurring theme over the next decade. There were protests, there were government interventions, there were...
lawsuits, the taxi industry, the unions, the local ordinances, the state and federal laws and regulations all had to be navigated for Uber to expand. And they did. Uh huh. So what happened next? Yeah. So right after they rebranded, the first of many leadership upheavals happened.
Later that same year, Ryan Graves, who was Uber's first CEO, he stepped out. And then he was replaced by none other than the original enigmatic founder, Kalanick. By the next year, they had launched in New York City, their largest market to date, right? And expanded internationally all the same year. They started, of course, where it all began, in Paris, France.
And it wasn't without controversy. They soon received strong pushback from lobbyists, the taxi industry, politicians, every single place they went. Consequently, the Uber business model became the form, right? The aggressive approach that they had to take started to have framework around it, right? It started to become a model when they would find a new location they wanted to enter. They had to figure out how are they going to anticipate?
the objections they're gonna see, how are they gonna overcome them even before it started so that they can become proactive. The strategy became perfected. Essentially, before launching into a new city or country, they would spy, gather market data, information on the unions, taxi groups, political power, influence local laws and regulations, how to battle them, including monitoring and engaging lobbyists, politicians, and power.
Dino Mauro (06:59.63)
They continued that approach, dealing with the PR challenges, all while perfecting their model and their technology. In 2014, taxi drivers in London, Berlin, Paris, and Madrid staged a massive large -scale protest against Uber. Taxi companies have been claiming that Uber avoids paying expensive license fees and bypasses local laws, which creates unfair...
That's insane. Then what happened? Well, what sets the Uber story apart from others is that all of this was happening at the same time. You've got the riots and the political upheaval. You've got internal culture issues, massive lawsuits. You've got union issues and lawsuits from their own drivers wanting to be
Deemed employees so that they can get benefits, et cetera. And meanwhile, Uber at the same time is seeing their vision and the future through their technology in autonomous driving. So by 2015, Uber announced a partnership with Carnegie Mellon University to create a new facility in Pittsburgh for testing self -driving cars. Guys remember this?
The first test vehicles out of Uber's Advanced Technologies Center are seen on the streets of Pittsburgh just a few months later. But even that was fraught with controversy. And we'll get to that in just a second. That same year, at the same time as all this, they also launch Uber Eats, right? The on -demand food delivery service that brings meals to your location no matter where you are in minutes.
The service starts in four pilot cities, Los Angeles, Barcelona, Spain, New York, and Chicago, and it expanded internationally. Of all their initiatives, many of which had fits and starts and never really lasted, there's a whole bunch of them we're not getting into, but Uber Eats was successful, and it remains a stronghold of theirs even to this day. And again, that same year, 2015, while those violent protests are erupting across,
Dino Mauro (09:24.558)
France as taxi drivers and their supporters block roads, burn tires and attack suspected Uber drivers. Uber also finds itself in a struggle with other lawsuits involving death and injuries to those getting Uber rides. And so what was called into question at the time,
was their hiring practices, their background checks, things like that. And just a couple months later, in February 2016, Uber had to pay $28 .5 million to 25 million writers to settle a class action lawsuit surrounding its advertisements. After the settlement, Uber was barred from using the terms, quote, industry leading.
unquote, or quote, best in class unquote, when referencing its drivers background checks. Why? Well, we'll get into that in just a second. By July of 2016, Uber announced that it had just completed its two billionth trip, which is amazing for a startup that's outstanding. But what's even more shocking is that was only six months after.
it had reached its one billionth trip. So in six months, it had completed a billion trips. Soon though, the drama continued to plague Uber. And they found drama once again in July of 2016 when a federal judge ordered that Uber, quote, engaged in fraudulent and arguably criminal conduct, unquote, when it used an investigative firm to conduct
background check on a plaintiff in a lawsuit. The plaintiff accused Kalanick, the CEO of the time, of violating antitrust laws by coordinating surge pricing. Like price gouging essentially is what was alleged. But at the same time, like I mentioned before, Uber was setting its sights higher and in higher tech and more advanced tech, namely autonomous vehicles.
Dino Mauro (11:46.606)
This was their future in their strategic planning, it seems. It would be the nail in the coffin of their competitors and the taxi industry. It would solve the issues they faced by all the lawsuits brought by Uber drivers who were claiming to be employees rather than mere contractors without benefits or of employment status. All that could go away with automated.
vehicles. So that issue, the issue of whether Uber drivers continue to be deemed employees versus independent contractors, that continues to be litigated today in 2022. Various different courts throughout the United States are addressing it. So with their eyes set on autonomous vehicles, in 2016 Uber launches an autonomous car program in San Francisco. No sooner though that they do that,
Once again, Drama finds Uber and California's Department of Motor Vehicles quickly declares the program illegal and Uber was forced to end it and look to other locations for testing its driverless cars. Another challenge that happened was in January 2017, you guys will probably remember this, President Trump at the time announced a travel ban to several majority Muslim countries.
In response, protesters swarmed the New York City airport with taxi drivers striking in support. However, Uber continued to operate, leading to a huge backlash as hundreds of thousands of customers took part in the viral hashtag delete Uber campaign.
And you remember the lawsuit settlement mentioned earlier? Well, they were plagued by litigation. In February 2017, a former Uber engineer named Susan Fowler published a blog post with allegations of a toxic and sexist culture at the company. Kalanick, the CEO at the time, who was dogged by all of this drama that seemingly appeared to be surrounding him, pledged to look into the matter and hired
Dino Mauro (14:03.79)
former US Attorney General Eric Holder to lead an independent investigation into the company's culture. In February that year, Fowler's story is followed by a New York Times report about Uber's aggressive, unrestrained workplace culture. The story alleges that Uber employees did cocaine during company retreats, that a manager was fired after he was accused of groping multiple female employees, and it goes on and on.
And who can forget the infamous Super Bowl video of February 2017, when on Super Bowl Sunday, Dash Cam video caught Kalanick losing his cool in an argument with an Uber driver about lowered fares. He went off on him and it was extremely unprofessional and embarrassing for the CEO. Kalanick soon issued a profound apology and said he'll seek out leadership help by hiring a chief operating officer at the company.
The following month, even more drama follows Kalanick when in March 2017, his ex -girlfriend, violinist Gabby Halsworth, details incidents of sexism she witnessed while she was at Uber. One story she tells is about a visit by several Uber executives to an escort karaoke bar in South Korea, which allegedly culminates in formal proceedings filed by a female Uber executive.
who filed a complaint. June of that year, the results of the internal investigation into Uber's workplace culture are released to the board. The investigation doesn't sound good. It finds 215 claims from employees of discrimination and sexual harassment. And the company says that over 20 employees were fired following that report. That same month,
Kalanick, CEO at the time, the founder from Paris, who conjured up the idea, is essentially forced to leave. He takes a leave of absence from Uber to quote, work on myself, unquote, after a year longer than a year riddled with scandal and controversy. No timeline was given. Simultaneously, Uber was being sued by Google, Alphabet actually, on behalf of their
Dino Mauro (16:32.046)
system Waymo, claiming that a former employee of theirs stole secrets relating to self -driving technology. The case was settled in early 2018. In addition to that, the New York Times revealed that Uber has used a feature that would allow it to operate in areas where it was illegal, resulting in a criminal investigation.
Stay with us. We'll be right back.
You know, we all have a lot of data and it has to positively, absolutely stay safe. It can't get into the wrong hands. And the biggest challenge we have is how to transfer it from here to there. We all know as leaders that legacy tools that transfer our important files and sensitive data are mostly outdated and fall short on security, especially with the demands of today's remote workforce. Relying on outdated technology puts our organization's brand at risk. And that is unacceptable. So we are excited to invite you to step into the future of completely secured,
managed file transfer from our friends at Kiteworks. Kiteworks is absolutely positively the most secure managed file platform on the market today. They've been FedRAMP moderate authorized by the Department of Defense since 2017. And unlike traditional legacy systems with limited functionality, Kiteworks has unmatched software security with ongoing bounty programs and regular pen testing to minimize vulnerabilities. And the coolest part, they have easy to use one click appliance updates you will love.
Step into the future of secure managed file transfer with Kiteworks. Visit kiteworks .com to get started. That's kiteworks .com to get started today. And now the show.
Dino Mauro (18:10.606)
So after that shareholder revolt in June of 2017, Kalanick formally resigns. And after a little more than two months, it was announced that Dara Kazhoshani, who was then the CEO of Expedia, took over.
At the same time, right around just a month or two later, it was kind of a surprise move. Kalanick exercised his control over the last two Uber board seats that still lasted under his control, and he appointed Xerox chairwoman Ursula Burns and former Merrill Lynch CEO John Thane. The move seems to be designed to get ahead of the proposed changes to the board structure that would have otherwise wiped out Kalanick's power completely at Uber.
That move though, poisons the feeling on the board and among leadership against Kalanick. And it seems to have backfired. And then it happened. In November 2017, the massive data breach occurred that changed the world. And before we get into the breach, let's just finalize our talk on the autonomous vehicle initiative. Since Uber was one of the pioneers in driving cars.
as they saw it as their future. So in January 2018, Uber officially closed a deal for Japanese investor SoftBank to take 15 % stake in the company. The deal severely limited Kellyn -Lex influence and voting power on the board. But then in March 2018, an Uber self -driving car struck and killed a 49 -year -old pedestrian named Elaine Herzberg while in Arizona.
It's the first recorded pedestrian death involving an autonomous car in history. Uber briefly paused its self -deriving program at the time as a result of the death, and Arizona suspended their test program. In August 2018, Toyota invested heavily, over $500 million in Uber, valuing the company at the time at $72 billion. And then, shortly thereafter, Uber went...
Dino Mauro (20:30.446)
public. It was the at the time when it went public, it was the highest valued private company in history. Extremely impressive for two guys who couldn't get a cab a few years earlier at a tech conference. So now let's address the breach. The breach is significant for two main reasons. The massiveness of the breach itself and the significance it has today in 2022.
to the world of attorneys, in -house counsel, CIOs and business owners on the results of how to handle a data breach. David, tell us about what we found. So here's what happened. Sullivan served as Uber's chief security officer from April 15 through November.
2017. During that time, he helped the company respond to a Federal Trade Commission, FTC, investigation of an earlier data breach the firm experienced back in 2014. He was familiar intimately with the process for investigating breaches because he's held security leadership roles in various highly recognized brands. And he even provided sworn testimony to the FTC about Uber's
earlier data breach and Uber's security practices. But in November 2016, just 10 days after providing that testimony for the prior breach, there's a complaint filed by the US attorneys that alleges that Sullivan learned about the subsequent, the second breach involving millions of users. But allegedly,
promptly began to cover it up. Seriously? Well here's how it's been reported to have happened. November 14th, 2016. Sullivan, Chief Security Officer, receives an email from John Doe's D -O -U -G -H -S at protonmail .com. Funny, right? And it claims that there's a major vulnerability. And they look into it and they say that there's a, that they've accessed a...
Dino Mauro (22:50.701)
database of customer information and they've been able to dump a bunch of the data. You know, data dump means like a transfer of large quantity of information. So Sullivan and his team go and they investigated right away they find that they had indeed access the database of driver's license numbers, confidential information, a lot of stuff that if this got out it would be really, really bad.
for the brand of Uber. They found immediately that they had all this information on over 600 ,000 Uber drivers and private information of customers. And then what's worse is they found that they had kind of done the breach essentially the same way as it happened the first time, the first breach.
They sent an email, the hackers had sent an email from that John Doza com from stolen credentials, right? And it found that they had accessed Uber source code on GitHub. And within that code, they were able to get the cloud information, the Amazon Web Services credentials that they could use to access the company's Amazon databases. So.
What is at issue is in his testimony to the FTC at the beginning of the hearing, November 4th, 2016, Sullivan had highlighted the importance of key management and not hard coding access credentials into that source code as an important part of an overall security program for the company. The reason that matters is that all of this winds up
leading to the exposure of this data and extremely sensitive information. Yeah, and our research found all these reports on this tracker document that basically laid out the timeline. And it illustrates allegations of the secrecy and how with all of the initiatives they had going on, all of the scandals, all of the lawsuits,
Dino Mauro (25:14.319)
all of the bad press, they really, really wanted to keep this second data breach as quiet, right? And there's a statement in there, in this report on the tracker document that said, what is our position to the company to talk about what we're doing? And their position was gonna be, we had a data breach back in 2014, we learned our lesson and we need to get our house in order. The investigation does not exist.
We're doing this in order to protect our information. And then the complaint brought by the US attorneys alleges that ultimately Joe Sullivan's decision was to handle the incident, the second breach in 2016, under the company's bug bounty program, choosing to pay off the hackers with $100 ,000 in Bitcoin, meaning rather than
Disclosing the breach working and being transparent with the FTC. They kept it silent even though they were already testifying in front of the FTC on the prior breach and to pay the Criminal hackers $100 ,000 each basically to keep them quiet as it's alleged and What they did is they sought to have the hackers sign?
non -disclosure agreements in exchange for the $100 ,000. And in fact, they did. But then they found that the hackers had used fake names. Shocking. And then they had to reach out to them and get them to sign under their actual names after they had done additional investigation. But what happened is by then, the FTC had found out. And then the feds got involved.
And there was the change in leadership away from Kalanick and the new leader, the new CEO said we would never have handled it this way and his clean shop and in addition terminated Sullivan. That's insane. Well, how it played out is the non -disclosure agreement that they had had the hacker sign essentially said,
Dino Mauro (27:40.655)
that you promise you're not gonna take or store any of the data from your research, that you've delivered to us or forensically destroy the information and that you would never disclose it to the public. But what happened is the hackers, like I mentioned, they initially signed the document using pseudonames. But later on in January 2017, after Uber had paid them that $100 ,000 each in Bitcoin,
Uber security team identified the two hackers actual identities. They followed up with them to sign the same non -disclosure agreement. But both men who did the breach and received the payment, they pled guilty to trying to extract these bounties from both Uber and they had done the same thing in LinkedIn, allegedly, through LinkedIn's data.
So when in August 2017, the new CEO, Dara Kazhashahi, begins, he starts to get involved and learn of all this. And then what's alleged here is that Joe Sullivan, at the time, initially lied to his new boss about the breach. His staff had drafted a summary of the breach and stated that everything was contained, that all rider and driver data.
would not be disclosed and it wasn't accessed or exfiltrated by the hackers. It's insane because it's alleged in the federal claims against Joe Sullivan, it's saying that when he initially wrote that summary or his team wrote the summary, then Joe Sullivan went in and deleted the part about the hackers actually taking.
the data, right? So the new CEO didn't know that the hackers had actually accessed the confidential information and also incorrectly said, as alleged, that the $100 ,000 that had been paid to the hackers was only paid after they actually had their real names, which obviously wasn't correct. Uh oh. So right around the same time, in November 2017, the company finally disclosed the second data breach to the
Dino Mauro (30:10.511)
And apparently they go live it right and at the same time the new CEO Finds out about all this and terminate Sullivan Sullivan was subsequently indicted and then recently was had supplemental additional indictments against him for for wire fraud as well Sullivan currently faces eight to ten years in federal prison if convicted of all the charges and
The magnitude here is really significant. I mean, these are serious allegations and raise a lot of questions about whether an internal CIO or security leader or IT leader should ever really face criminal charges for the way that they handle a data breach. They have, you know, dual missions that they're trying to run. One, to protect the organization's brand and two, to comply with law enforcement. And...
It also raises a lot of questions for about whether and when to engage law enforcement. And this is being watched by a lot of people. So in 2018, Uber agreed to pay $148 million to settle claims around that 2016 data breach. That's just in the civil.
right, and in the law enforcement fines and things like that, that affected, it wound up affecting not 600 ,000 Uber drivers, not just that, it actually wound up affecting 57 million users, 57 million customers and users across the world. That is what that data breach affected. And the lawsuit involved.
attorney generals from every single US state. Seriously? Whoa. Oh yeah, the feds are not playing around. Most recently on June 28th, 2022, a federal judge dismissed Joe Sullivan and his counsel's attempt to dismiss the case that was brought against him. And he said, nope, you are going to trial on wire fraud charges.
Dino Mauro (32:34.255)
over his role in the allegations involving this data breach that involved 57 million passengers. The U .S. Department of Justice in December of 2021, just, you know, seven, eight months ago, added three new charges against Joseph Sullivan to the earlier indictment. They're saying that he arranged to pay money to the two hackers in exchange for their silence while trying to conceal the hacking.
from passengers, customers, paying customers, drivers, the not employees, but the people that are driving the Uber cars and the FTC, the US Federal Trade Commission. So what happens then is you have to remember Kalanick is still the CEO back at this point. And there's some communications between Kalanick and Joe Sullivan that mentioned there's evidence of a text on November 15, 2016 where Sullivan,
Allegedly texted Kalanick saying quote. I have something sensitive. I'd like to update you on if you have a minute And then the two had a series of phone and FaceTime conversations The key is is that it's those two that were or allegedly clearly aware of the stolen driver's license information and the other private information by the hackers uh -huh
What makes this bad is there isn't any individual specific act that is so detrimental. But when you look at the totality of the circumstances and the fact that he was already attesting to the FTC about the prior breach and then there were internal lies and then there was clearly payment made to hush the hackers up. But they...
categorized it as a bug bounty program. Like all of these things together all lead to a really challenging method of dealing with a data breach and one which is really looking like it could go south for Joe Sullivan. But you know, it's in the hands of a jury and a judge and we're gonna see what happens in the next couple months.
Dino Mauro (34:58.575)
You know, there are clear rules about what you have to do when you have to engage law enforcement and we have to follow those, right? And yeah, he lost his job at Uber, but he promptly found another one less than a year later at CloudFair. And he had had numerous jobs at other big brands as well. These charges though, against an internal IT leader, really, they could result in really...
bolstering statutory breach reporting requirements. I mean, they absolutely send a really powerful message about covering up data breaches. And the breach itself can be bad, but this is far worse in how it's handled.
U .S. District Judge William Oreck in San Francisco rejected Sullivan's motion to dismiss and said he has to face the jury, which is coming up for trial in a few months here in 2022. Oreck rejected Sullivan's claim, who made the argument that he was only deceiving Kalanick and their lawyers, not the drivers. But the judge ruled, quote, those purported misrepresentations, though not made directly to Uber drivers, were part of a larger scheme to defraud them, unquote. At least according to the
indictment. So the judge ruled that that needs to go. It's a question of fact. The jury has to decide that. As you recall, the defendant was originally indicted back in September 2020 and now faces these additional allegations, including the wire fraud charges that were brought this past December. Why this matters is because this is the first time in history that a corporate
information IT security officer is criminally charged with concealing a hacking. It stems into what you're supposed to do and what you cannot do. One of the challenges, there's not a lot of rules. There's no clear rule per state or per country even that says when this happened you must do this, when this happened you must do this. So one of the reasons a lot of people think this is a bad idea to punish
Dino Mauro (37:20.059)
internal IT executives too harshly for this, right? Maybe do something, but maybe not the maximum sentence is because there's poor clarity in terms of how companies are required to protect sensitive information. We all know everybody should, but when things go south, there's no specific rule set that everybody knows.
about what you need to do in every single situation. But the counter argument to that is this, and that is there are clear rules, very clear, about when you're supposed to report data breaches. There's codes, there's codified breach notification laws, depending on the compliance matter that...
that you deal with and here he was dealing with the FTC already and was already attesting by oath on this. And this is why legal experts, cybersecurity insurance experts, CIOs from across the world are watching this case. This is why it is the data breach that changed the world because everybody is looking at what are the rules and what.
are the ramifications for not complying with those rules when engaging law enforcement. So tell us what happened. There was headlines over the weekend. I will be glad to, my friend. So in what will go down, okay, I'm going to do it right now. In what will go down as a catastrophic week for Uber. In the past seven days, Uber has sustained a massive new data breach. And Mark, it's as bad as they get.
And I'm not casting Shade at all on the internal. Right. No, no, not at all. This is this was a pretty. You change the name of the organization. It can happen to anybody at any time. Absolutely. That's the that's the meaning behind this. Yeah. But, you know, there are there are some things that are really interesting about this. But in the same week, talk about a bad week in the same week, they sustain this massive data breach. Their former.
Dino Mauro (39:47.247)
security chief, their former chief security officer. Chief security officer. Joseph Sullivan, who was like Silicon Valley darling, has worked at every major tech company. Yeah, he was well known, right? Oh, very well known. Yeah, yeah, yeah. He's I've seen him a lot. He's just been everywhere. Anyway, he began trial the same week.
Dino Mauro (40:15.519)
Today we're going to discuss in this bonus episode the latest news updates and our impressions of the 2022 uber breach as well as the trial of Joe Sullivan, former uber seesaw. He's been indicted and faces up to 20 years in prison. It's the first time in history that an internal IT leader faces criminal serious charges for how he handled.
a data breach. That's never happened before, has it? No, and the implications are huge. I mean, CISOs and people, business owners, executives from around the world, you should see online, like everybody is watching this trial because the implications are serious, right? It's going to depend. It's going to have legal ramifications. It's going to have a massive ripple effect in the industry, not just in security.
Especially security, but not just in all business, right? Like being held that accountable for something like this. Yeah. So let's begin with the latest data breach for those. So tell us what did you find? Well, for those who have listened to our podcast in the past, you will be aware that we had a prior episode on the Uber data breach from 2016 and what led to these charges involving Joe Sullivan. And the latest news broke last Thursday.
just a few days ago, and employees at Uber strolled into work, they got to work, they got online, Uber corporate, right? They're doing their work day and they use a lot of apps just like all of us do and they communicate. Some people use Skype, lots of people use Slack, right? And it's their communication channel. They use it on their phone, they use it on their desktop. And while communicating between team members, right? Via their...
internal Slack channel unexpectedly and without any awareness there was a hacker inside and a hacker announced on the Uber's internal Slack channel that he had completely accessed all of their systems and that he was upset about the way Uber had been treating their drivers. Right. And now a little precursor, a little legal disclaimer.
Dino Mauro (42:43.311)
Everything in this podcast is alleged. Okay. I wasn't there. You weren't there. Nope. No, we're basing this on screenshots that the alleged hacker has posted on Twitter and Telegram and other channels with other people in the hacking community because apparently this breach, like several others that we've talked about, Mark, guess who this
Hacker was. Was he a state actor? Was he North Korea, like we talked about in the Sony episode? No, I wouldn't. I wouldn't lean that direction. I would think this sounds more personal. Yeah, this is an 18 year old, allegedly. What? This is an 18 year old. Yeah, it almost reminded me of like Baby Al Capone and Ellis Pinsky that we just talked about. Yep. It is like another Baby Al Capone.
Yeah, this is a, and check out what he does. So as Uber says, well, we've turned off the internal Slack channel and we've, nothing's really been breached. There hasn't been that much access, et cetera. Well, what does he do? He starts posting, he's talking to other hackers in the community and he starts posting screenshots, all of which we'll show in the video for this episode.
But he posts the screenshots where he's talking to other people in the security field and other hackers where he's like, and they're like, are you the guy? He goes, yeah, check this out. Boom, here's all their financials. Boom, here's all their expense reports. Boom, here's their Amazon cloud access. So let me get to how that happened. So here's what we're going to talk about real quick. We're going talk about what we know about the status of it. We're going to talk about how the hacker allegedly got in.
What happened after? We'll touch a little bit about how this could have been prevented. Just in a sense, we're not going to sit here and go, oh, well, if they had our services or if they had this type of service, none of this would happen. Because nobody knows. And that's not the purpose of this podcast. But the truth is, it raises a couple of questions. Like, I thought they had this service. I thought they had this.
Dino Mauro (45:03.021)
you know, awareness in place. How did he get around that? That's what's more interesting here. And then we're going to update you on the trial of Joseph Sullivan going on right now in a California courtroom. So that, you know, generally a breach by one person should not be the end of a company that large, right? It shouldn't be able to access so much stuff, right? What happened was, and it was kind of ironic,
where it almost came down to the audacity of a teenager versus some... Right, that's what it sounds like. Right? And the employee basically just wanted his notifications to stop. So let me tell you what happened. As we get through it, you can almost hear like the face palms from the security team about how this happened. So...
Uber confirmed Thursday that it was responding to a cybersecurity incident and after various reports on social media and things like that, and again, and this gets into what you and I always talk about, about Uber found out about this when the hacker decided to tell them he was in. Right. What are the stats though? It's like 80 % of CSOs or any security intelligence officer for an organization. 80 % of them find out not because of self -discovery.
Right. It's from the media, it's from social media, or it's from law enforcement. And we're going to have a couple of FBI agents, former and current, on this podcast that are coming up in the next couple of weeks. They're already scheduled and we've already talked to them. And they will be able to explain. Most of these business owners and security teams did not know that they had been breached until we came knocking on the door. Right. And it's really, really shocking. Anyway, so...
What happened was the first media announcement that where it became public was in the New York Times on Thursday. And several of the internal communications and engineering systems had been taken offline by Uber in light of it while they investigated the incident. Okay. They stayed. They made Uber set in a statement to TechCrunch that it's investigating the cybersecurity incident and that it was in contact.
Dino Mauro (47:30.543)
with law enforcement, but they declined to answer any questions. So here's what we know about the status. And this is all gathered and we're going to show the screenshots and cite all the resources. But believe it or not, I mean, it's so ridiculous that we learned about this. We're gathering all this information from Twitter of all places, right? Telegram, the encrypted private app, hacker forums.
New York Times, Routers, Bloomberg, Fox and CNN for both sides of the political table. Spectrum, yeah. And then even more germane from wired and specific YouTube channels of people that were involved and spoke with the actual alleged hacker. So what happened was there seems to be a sole hacker behind the breach, 18 years old.
Uber in an update said there's no evidence that users private information was compromised. OK, we have no evidence that they this is what they're quoted as saying. Quote, we have no evidence that the incident involved access to sensitive user data like trip history, unquote. And then they said, quote, all of our services, including Uber, Uber Eats, Uber Freight and Uber Driver app are operational, unquote. A lot of people took issue with this.
for reasons we'll get into, but a lot of their access, almost every aspect of their organization was visible. So, you know, here's what, back in 2016, they had, I mean, they had to pay hundreds of millions. Remember they had to pay a lot of money for fines and the way that they handled it's part of the reason why Joe Sullivan, if you want the details of that prior breach, go listen to our other episode.
Right, right, all the details are in that episode. Everything. So, but despite what Uber's claiming here, the hacker was openly communicating with many people in the security and hacker community and posting screenshots along the way. So on the one hand, Uber says, no big deal. And on the other hand, the hacker openly shows screenshots of Uber's complete financials.
Dino Mauro (49:52.053)
employee information. He actually, when he posted the screenshots, he actually had people's names up in the upper right hand corner who were the people that he had compromised. So one guy's name there is like Philip Lee and I'd hate to be him today, but it looks like this guy got in under his access and he's going to see all the screens that he's got access to. Here's basically what happened. So that's about as bad as it gets. Well, here's what happened. So he got.
I'm just going to walk you through. I'm not going to read all the reports because it's a lot. But here's basically what happened. The 18 year old gets the credentials, the login name, like the email and the password for an Uber employee. Step one, right? He got that. How he got that? He could have got that from a phishing email. He could have got that from social engineering. Frankly, he could have bought it online.
Passwords brand there's a whole bunch of ways he could have done it frankly could have bought it on the dark web or frankly pop guest Right like he could have just used a pack or soft a password cracking software or frankly just Thought about it and guessed it's not an art right do a little research research on people that post their favorite sports teams on on social media post Green Bay Packers password right answer a lot of people answer those Facebook
host those memes that say, where was your first school? But you grew up there. But it's like, oh, it was St. Barman. Yeah, why should people not respond to that? That's great, buddy. That's your security answer to your password, right? Don't do that. OK, people don't do that. OK, so anyway, he gets that. But what happens? Uber's not dumb. They have what? What do they have? What's the biggest protection that's required by most cybersecurity, cyber insurance firms?
What's the process? You sell a lot of it. You shouldn't. Oh, you've got, let's see, what are the most popular? Multi -factor authentication. They have multi -factor authentication. Okay. Well, there's an approach in security in hackers that hackers use. And we're going to get into the terms also. Let me digress here for a second. When we say hackers, okay, we do not mean.
Dino Mauro (52:17.487)
somebody that has ill intent, or there's somebody on the outside of the law, or somebody that's outside of morality. And we're gonna get in this with some upcoming episodes about the terminology and how we have to reset the terminology. Because when I use the term hacker, I almost mean engineer. That's what I mean. The definition is really somebody with the ability to gain access that they don't have permission to.
It doesn't make them a criminal. Not at all. And frankly, to understand our vulnerabilities, we have to know where we're vulnerable. We have to know. And hackers aren't this isn't a Greek play. Like people don't always remember that thousands of years ago, the Greek plays. Everybody was all good. And then this character was all bad. Right. It's not binary like that. Right. There are some things that are.
little gray, there's probably 50 shades of gray in the full ambit of what a hacker will do in order to expose a vulnerability for an organization so that they can fix it. That's what this is about. Anyway, it aggressed. But here, what happened was he gets the guy's information, tries to log in as him, right? Tries to get into Uber. I mean, it's their...
Their CEO is testifying at trial in San Francisco. The whole world is watching. The former CISO is testifying last week during this time, right? So the hacker is trying to get in because man, this would be a good one, right? He's 18 year old. Yeah. All eyes on me. All eyes on me, man. This is, this is, this is, this is a trophy. This is a huge trophy in the hacking community. So he's trying to get in. Well, guess what's happening. Every time he tries to log in, they say, okay, what's the...
please approve this in the multifactor authentication. So he just keeps doing it. It's a process called multifactor authentication fatigue, meaning you're spamming it, right? Until the person ultimately doesn't want the notifications. As we're talking right now, I hear your frigging phone buzzing. And you know, like, the point is, is at a certain point you want to stop it, right? At a certain point you want it to stop. And...
Dino Mauro (54:41.839)
So what happens is the employee that he ultimately socially engineers to get in doesn't approve it, right? He's like, I'm not trying to log in. I'm either already in or I'm not at work or whatever. I'm not approving it. So then the hacker gets creative and he goes to the WhatsApp and he gets on WhatsApp and then he says to the employees trying to socially engineer, hey, this is...
you know, blah, blah, blah from your internal Uber IT team. We're trying to fix some configuration or do something. Please approve the multi -factor authentication. So the employee does it. Presses one button on the phone approving the multi -factor authentication. Oh no. And with that, now hang on, with that, he gains access as that employee.
So as we know, when this happens, he now controls that employee's digital life insofar as the sphere of world as an Uber employee, right? He hasn't taken over this personal employee's banking information, his Facebook, his social media. He hasn't gotten that yet, right? He may, who knows? He may take over all of Uber later, who knows? But as we know now, what he does have though is comp -
complete access to what this employee did. Well, here's where things go south. Apparently, this employee, Uber had a shared drive on there. So let me get the actual information. I'm going to show the screenshots, right? He got in through MFA fatigue, right? And he basically overloaded prompts and notifications.
on what was said and this is a very, this whole multifactor authentication fatigue mark. This is what happened with Twilio, MailChimp and Okta earlier this year. Wow. This is how they got in. It was multifactor authentication fatigue. So once the attacker obtained valid credentials, they performed this push notification spamming repeatedly until the user approves. Okay.
Dino Mauro (57:06.159)
This usually happens because the user is distracted or overwhelmed by notifications, and in some cases, it could be misinterpreted as a bug or confused with other legitimate authentication requests. Right. I can see how that would happen. Yeah. Here's what happened after the hacker got in. At a very high level, the consensus appears that there was social engineering, but then he was able to move laterally. Once he's in, he wasn't just -
in this employee's system. He was able to go through other systems. See, this is where the security architecture, the access, right? We always talk about this. So much of it depends on what do you do? You really it all starts with like an inventory. Do you know what's on your network? Do you actually know who at your company can access what? Because most business owners have no idea.
They'll ask IT and IT was like, oh, we got this. You're secure. Don't worry about it. Right. The truth is until you do some of these, you know, so perfectly, this is where we talk about penetration testing, natural penetration testing with ethical hacking until you're able to see where that employee is able to move laterally in an organization and possibly vertically. You know. You don't know. You don't know. And somebody in another department,
Even if they're allowed to come into the organization's network, there shouldn't have access to other pieces, right? For various reasons, but in a case like this, this is an example, a perfect example of it. So they were able to move laterally, he was able to move laterally and pivot, right? And then he found administrative credentials that ultimately led him to get the keys to the Uber kingdom.
The attacker found high privilege credentials on a network file share. Okay. So he gets to a network file share, right? And then he's able to use those to access everything, including production systems, Uber Slack management interface, Slack channel, the company's endpoint detection and response, their EDR portal.
Dino Mauro (59:26.863)
So when I saw the screenshots and I was looking through this and I was watching the videos on this, Mark, they were able to get into the Sentinel -1, which we use, like the Sentinel -1 EDR portal. He was able to do this. Right. Now the issue, there's a couple of issues that come to my mind, is could this employee, the one that he socially engineered, could that person have access to it? Or did this kid?
find access. Leverage that entry into the network as a whole and then moved farther than this employee even knew he could move. Yeah. We had never done it. That's what it seems like from everything I've read so far. I don't know. Listeners, you are able to call in to our show and let us know what you think or what you have found. Let me tell you that we have a call -in number.
at any time you guys can call in, leave a voicemail, and we will put your responses into this episode. So if you call in the next day or two, we will add your questions right into this episode. Our number is 317 -682 -9325. Again, and a little slower. 317 -682 -9325. That's the 7 -O 'Clam Junkies number. Please.
call in, leave a voicemail. We're happy to hear you and then we will address it on the next episode. We're interested in your feedback and to hear what you guys have to say. So this attacker, Mark, circling back here, the attackers also believed, so check this out, to gain administrative access, not just like view, right? Administrative access to Uber's cloud services. Uh -oh.
Yeah, that can't be Amazon Web Services, their AWS and their Google Cloud. That's where Uber stores its source code and customer data, as well as the company's hacker one bug bounty program. So if you look online, hacker one has a lot of things they do the bug bounty program. You remember that bug bounty program is at the heart of the trial of Joe Sullivan.
Dino Mauro (01:01:53.455)
Right, right. Because... Maybe tell the listeners, for first time listeners, what's a bug bounty? What's that? Yeah, a bug bounty program is when people... Companies that work in technology, like an app, Uber's an app, right? Well, they want the hacking community, and it's facilitated by excellent groups like HackerOne, they want them... They have a bug bounty program. If you find a vulnerability, if you can hack into this app,
If there's bugs in this app, if it stalls out, if it breaks, if you break our app, tell us and we'll pay you. Right? Basically, they're just contracting out testing of their vulnerabilities and applications. You see, it's quality control, it's research and development. And who can do that? Like if they just employ all these hackers to test it, all of these engineers to test it, they know what they know and they don't know what they don't know. You put it out in the wild.
In the hacking community at large, now you're really going to find out what's wrong with your app. And they'll pay you for it. It's very common. That's how a lot of hackers make their living. And there's nothing wrong with it. That's what we need. That is what organizations need. If you do it, and that's where it gets to gray hat, white hat, black hat, the point is don't do it and then give us ransomware. Just do it and show us.
the vulnerability so we can fix it and we'll pay you. Right. So and that gets into go listen to the other episode because that's what Joseph Sullivan and team were claiming happened in the prior breach. But it really didn't happen. They had been compromised. They paid them and then they did it. The reason they did that in that case as alleged is because by saying they paid them under the bug bounty program, they wouldn't have to disclose it as a breach. So the stocks wouldn't go down.
Nobody would know. Nobody would have to know, right? That's what it's all about because it all gets back to the psychology of security and trust in privacy. So it all makes sense, right? So he seems to have gotten hold of privately disclosed vulnerability reports submitted by HackerOne as part of Uber's bug -burning program. That's bad. That's not good. Okay?
Dino Mauro (01:04:18.447)
So TechCrunch reports that Sam Curry, a security engineer at Yuga Labs, described the breach as a complete compromise. He said the threat actor likely had access to all of the company's vulnerability reports, which means they may have had access to vulnerabilities that have not yet been fixed. Oh no, they told him where the holes were. Yeah, so HackerOne disabled the Uber's bug bounty program. They're solid, they're on top of it.
And in a statement to TechCrunch, Chris Evans, hacker ones, seeso, and chief hacking officer said the company is, quote, in close contact with Uber security team, have locked their data down and will continue to assist with their investigation, unquote. So, I mean, look, it looks like the person, like we said earlier, it looks like they were collecting trophies as they bounced through the network. And they were posting these trophies as forms of screenshots.
of various tools and utilities as they moved around Uber. And then they were, I mean, they were posted in publicly. And I think that's what makes you realize that it really is probably an 18 year old, right? Cause it's just so boastful. It seems like he's doing it for street cred. Right, right. Right. Look at me. Look what I can look what I did. Well, look at the people that we've known that are professional engineers, CISOs today. It started as kids just like this. Yep. Right.
We've talked to people that were freakers back in the day, people that hacked various systems and they just did it. They might have gotten in trouble. They might have been threatened with some trouble. But the point is then they shifted over to seeing how this is actually, you can be a productive member of society by doing it for good cause. It seems like he's trying to build up some street cred and man, he got a whale. So this is pretty good. So let's touch briefly. That's what we know and that's what.
what he accessed. So let's touch briefly about how it could have been prevented. I mean, here's the thing. Chris Roberts had a post, the infamous CISO of Boom and the infamous hacker who we've had the privilege to talk to. But he had a post recently about, hey, how long is it going to take to people to try and sell stuff because of this Uber breach?
Dino Mauro (01:06:41.391)
Right. And that's the one thing we don't want to do. Right. Like you don't want to say, oh, if you had our service, you bought this product, this wouldn't have happened. Bullshit. Like bull. It's not true. Okay. But it makes us wonder, regardless of what we do for a living, it makes us wonder. So when this person got in, right. And he's moving around. Shouldn't that have been if he's moving around.
laterally or vertically, moving around this network way beyond what this person, the employee that got socially engineered normally should have done. And he's taking any scraping data or taking data or moving some data. Shouldn't that have been an anomaly? I mean, it should have been an anomaly. Yeah, that should have been something that somebody saw. Right. Like that's, you know, and the fact that he was able to do that, I would think.
could have been found had they done some type of penetration testing ahead of time. And that's what I'm asking. Like, yeah, don't you think? Like, and this is where people call in, like, let us know what your thoughts are, because maybe I don't understand the, um, the complexity or the technology aspect. And that's perfectly fine. I love to stand to be stood corrected, but this is the type of thing where I'm like, isn't this exactly what
like MDR, Manage Sim, SOC. Isn't this the anomaly type thing that could have been found? Like it seems pretty obvious. And the access from the one employee to all these other systems that probably shouldn't have happened, right? That could have been found through a red teaming exercise or through a penetration test. Right? Where they can go through that testing wise and then lock that down.
Right? I mean, this guy got access to their PAM, to the Private Access Management platform. He got access to everything. He got access to absolutely everything, Mark. So again, tell us what your thoughts are. You can send us an email at cybercrimejunkies at gmail .com, cybercrimejunkies at gmail .com or info at cybercrimejunkies .com.
Dino Mauro (01:09:02.095)
or call us and leave us a voicemail with your feedback at 317 -682 -9325. 317 -682 -9325. For viewers, we will put that number right on the screen. Any other thoughts on what could have been done? Now, I think this is really still unfolding, right? This just happened. Yeah. So it would be interesting to see how this transpires, especially while there's an actual federal
taking place for the sitting CISO at this time. So it's just a lot going on. We don't wish any ill intent and don't want to throw shade in any way towards an organization, but we just want to make sure people are aware that this happens and there's reasons it happens. And if we can talk about those reasons and understand it, then maybe it'll prevent it from happening to somebody else. Yeah, that's exactly what the point of this is. So it's stuff's kind of blown my mind so much I just took my vitamins.
So this is not the first time that now let's talk about the current trial and we're going to be following this and we will update you all soon as well when the results of this trial come out. But this, as we know, isn't the first time that Uber has been compromised. Back in 2016, hackers stole information from 57 million driver and rider accounts. Remember that one? We had a whole episode of that.
And then they approached Uber and they demanded $100 ,000 to delete the data. Uber made the payment to the hackers, but kept the news of the breach quiet for more than a year. Okay. That is at the heart of the case. US versus Sullivan, 20 CR 00337, pending in US District Court, Northern District of California, San Francisco, currently on trial.
today. It is September 19th. They were they had trial began last week, several days of trial. It's expected to go several weeks. Joseph Sullivan, well known in Silicon Valley, well respected, really polarizing, right? People are on both sides of the fence. There's there's a lot of empathy for Joseph Sullivan and how we handle this. And then there's a lot of
Dino Mauro (01:11:24.303)
views from security experts that are like, no, you knew this was wrong. This is clearly wrong. We don't do it this way. So it's it's we're reporting on it. We don't I personally don't have an opinion. I wasn't there. So I don't know how I would have acted. So what's interesting about Joseph Sullivan, Mark, is he himself is a former federal prosecutor. So he was an attorney. Oh, wow. Yeah.
He was a former federal prosecutor and check this out. Guess where he was a former federal prosecutor? At the same office that indicted him. No, are you serious? Yeah, he's a long time Silicon Valley fixture, previously headed up security for Facebook, and he's charged with obstructing a government investigation and defrauding drivers in addition to hiding the data breach. He faces as much as 20 years in federal prison if convicted.
So he was Uber's former chief of security and it's really divided the security industry. So they were stunned when he was fired back in 2017 and he was accused of mishandling the incident the year before. And despite the scandal, Joe Sullivan got a new job as chief security at CloudFair, which is the internet infrastructure.
Um, as the investigation into the incident at Uber continued, um, and in 2020, the same prosecutor's office where Sullivan had worked decades earlier, charged him with two felonies, um, which is the first time a company executive has faced criminal liability for a data breach. Um, he's pled not guilty. They adamantly denied that what they did was wrong. Um, and like we said, it's, it's, it's really polarized.
polarized it. What prosecutors are alleging is that Sullivan directed the hackers to the company's bug bounty program, similar to what we were just talking about, which Uber, like many companies, set up as a financial incentive to third parties to report its security vulnerabilities. Okay, so it's just what you and I were just talking about. Uber ultimately paid the hackers, two men in their 20s, $100 ,000 each in Bitcoin.
Dino Mauro (01:13:52.431)
the non -traceable cryptocurrency and had them sign non -disclosure agreements according to the criminal complaint pending that's at trial right now. Uber didn't, because they did it through the bug bounty program, they didn't have to tell the world. They didn't have to tell anybody there was a data breach. Okay? And they didn't have to tell the FTC, the Federal Trade Commission, with whom they were talking with about a prior breach.
before the 2016 one. So it only became public in 2017 when Uber's new CEO, right? Dera, Kajwa Shahi, I apologize, Dera. I'm sure that's close. He came in and he wanted to change things, he wanted to change the image, because as we reported before, there was a cultural thing with their prior CEO and everything, and there were lots of scandals, and he wanted a clean house.
And he came in and he fired Joe Sullivan. You know, data breach laws generally require companies to notify individuals when their personal data has been exposed. And the two guys that they had paid that $100 ,000 to, they pled guilty to hacking. Later. So at last week, the Uber CEO, the current one, Dera Khashrashahi, right?
testified and so did their former in -house counsel, their lawyer. So Bloomberg reported that this current CEO of Uber was called as a government witness right off the bat in this federal court charges against Joseph Sullivan. The CEO testified that he learned early in his new job of inconsistencies in what Sullivan reported about the incident.
and why it hadn't been disclosed to regulators. He testified, quote, I thought the decision not to disclose at the time was wrong decision that led me to conclude that I needed to bring in a different head of security, unquote. That's what he told the jurors in the case. And he said, quote, I need to trust my direct reports, unquote. Sullivan claimed the company made him a scapegoat for its tardy public disclosure of
Dino Mauro (01:16:16.783)
the breach. So that's what's going on right now in the trials. The CEO testified, but then they had another witness. The former in -house counsel, their lawyer, their internal lawyer, Mark, for Uber, who had been fired also, he testifies against Sullivan. And check this out. So you remember when I was talking about the bounty program and the nondisclosure agreements? Yep. So when we...
If you and I were involved in this and we were writing this up, would you and I write those agreements or would we get our in -house lawyer to do it? You'd probably get the attorney to do it. Yeah, just to make sure we didn't use a form that was outdated or unconstitutional. Template from 98. Yeah, exactly. Template, word, 1995. Yeah, let's use that one. That one looks good. The other ones are like 10 pages. Right. Okay.
So a former top in -house attorney for Uber took the stand Wednesday last week in the criminal case, testifying that his boss changed the language in a nondisclosure agreement with two hackers to cover up the data breach. Wow. According to courthousenews .com, resources will be cited in the show notes. And on Prime, you guys are free to check it out and go look it up yourselves. So his name was Craig Clark.
He was given immunity. So whenever I hear about the immunity and I used to be involved in this with the immunity thing, you just, you just never know, right? Because how does he get immunity? How do you know? Like, it's just a weird, you just don't know what is being said. Anyway, Craig Clark was given immunity. So he, anything he says, he didn't like, they can't touch him. So they can say anything.
was given immunity in exchange for testifying against Sullivan. Under questioning by assistant US attorney, Andrew Dawson, Clark said he recalled Sullivan asking how the incident could be funneled through Uber's bug bounty program. So what this lawyer is saying is I was there as the lawyer, the chief security officer came to me and said, dude, we got a big data breach. Here's how I'm understanding this. Tell me if.
Dino Mauro (01:18:42.639)
No, this is, yeah, that's dude. We got a data breach. How do we not disclose this to the public? Our stock is going to go down. We're going to look like fools. It's bad, right? And he said, how about if we put it through the bug bounty program? How about if we say, oh, it's not a breach. It's just a vulnerability. We're just going to pay them for that. Right. So he recalled Sullivan asking how the incident could be funneled through Uber's bug bounty program.
where researchers are paid to find and report security flaws. He testified this, he goes, quote, I remember Joe asking or saying, how can we fit this into the bug bounty? He said this on the stand of the jurors. Did you take that as a directive to fit this into the bug bounty program? US Attorney Dawson asked, and Clark answered, yes. Clark testified that if the hack was classified as a bug bounty,
the company would not be required to report it as a data breach. Yep. He said, quote, What is your understanding if Mr. Sullivan was asking for legal advice or giving a directive? Meaning, was he asking you meaning the U .S. attorney here is saying, was he asking you whether you wanted this to be run through the bug bounty program or was he giving you a directive? Tell me how to do this.
is this is what I'm going to do. There's a difference legally. Yeah. I would imagine. But right. Sure seems like it. Right. And the former attorney says I took it as both. It was we need to fit this into the bug bounty program. And how are we going to do it?
So that's interesting. It's right on that line, right? Yeah, yeah. It's right on that line. So here is in -house counsel, right? You don't have the leeway of being outside counsel. Outside counsel, you could say, no, this is a data breach. We have to follow it because you're independent, right? As in -house counsel, you guys both serve the same master, right? You both want there not to be a data breach. If you're outside counsel,
Dino Mauro (01:21:01.263)
If it's a data breach, if it's not, you want them to be to do the right thing. You can direct them appropriately. In -house counsel, you both, you're kind of swayed, right? It's almost like, you know, like if there's a data breach, it's really bad for me. Outside counsel, they got a thousand different clients. Might be bad for this client, but when clients have issues, right? That's when lawyers make money, right? Your issues are their fifth car, right?
So Clark said this conversation happened after he found out. Here's the significant part.
Former attorney said this conversation happened after he found out that 600 ,000 driver's license numbers had been proposed. Whoa. Whoa. So when asked about his reaction to this knowledge, Clark said, quote, it was a big sigh and maybe an expletive that we were in reporting land. Yep. Once we knew we had driver's license numbers pretty much
Everybody knew the implications of that.
So Clark said he got right to work figuring out a way to turn the breach into a bounty. After a couple of hours, he came up with a theory. Uber would treat the two hackers as employees or agents of the company. Of course, it would have to be post -dated. Also, quote, we had to get the data back, know who they were, and make sure the information had not been disseminated.
Dino Mauro (01:22:40.815)
we needed to have a relationship such that they could be referred to as agents. So they made them almost like their employees or agents and they post dated it. So they want the extra step to cover this up it seems. Right. On the other side of the coin because in a courtroom especially a federal courtroom there's always going to always be two sides of it.
David Angelie, a lawyer for Sullivan, told jurors in opening arguments that former security chief Joe Sullivan was targeted by new management at Uber as part of Kashar Shahi's campaign to make a clean break from the company's problematic past. Okay, that seems right. He told the jurors his mantra was Uber 2 .0. Okay, he wanted to turn the page on what Uber was doing and basically what...
His counsel saying he was made the scapegoat. They threw him under the bus. They threw Joe Sullivan under the bus. And as you and I have investigated and been involved in a lot of these and talked to people that have been involved in thousands of these, the one thing I know is it's never just one person. Right.
Dino Mauro (01:24:04.495)
Today, the irony that Joseph Sullivan, a former federal prosecutor himself, who tried some landmark cases as a prosecutor, including the first case in the US, prosecuting under the Digital Millennium Copyright Act for the prosecution of a hacker who breached NASA's Jet Propulsion Laboratory. And the irony that he now has been tried and convicted is not lost on him or the startup community or the cybers community.
uh, industry itself. This case has resulted in many CISOs, chief information security officers, questioning their role and responsibilities when it comes to personal liability and reliance on the company leaders, which they serve. More than 20 years after Joseph Sullivan started as a prosecutor against criminals, he found himself on the other side of the table. The verdict after the trial came in,
last October was clear. Despite thinking he would win a trial, the verdict came in guilty against Joseph Sullivan. A San Francisco jury found him guilty on charges of obstructing an official proceeding and misprision of a felony, a failure to report the wrongdoing offense. In May of last year, he was sentenced to three years probation.
Many argue that the sentence was too light, given that he was facing 20 years in prison. Many argue that it was seriously too heavy. Today, Joseph Sullivan, after taking a year to reevaluate his life and the context in which he found himself, he's the CEO at a nonprofit dedicated to providing humanitarian and technology aid to the people of Ukraine.
And this case has had a huge impact on the cybersecurity community and security leaders and IT leaders across the globe questioning their own roles and potential personal liability. The life lessons found in this case will be long -term. Let us know in the comments what insight you have on this story or email us at info at cybercrimejokies .com. This
Dino Mauro (01:26:29.615)
was the story of what happened at Uber and how cybersecurity leaders can be liable.