It’s been said before that the wheels of justice are often extremely slow in cybercrime intrusion cases. This is namely due to the fact the perpetrator is easily lost in the wind. Sometimes however, in unique circumstances, attempting to cover up an intrusion to save face for yourself or your company can take almost as long.
In a case that was well known through at least a couple of news cycles from 2016, Uber, the 21st century competitor to taxi service, was hit with a massive cyber-attack, in which two hackers (Brandon Glover and Vasile Mereacre) allegedly accessed and downloaded a database containing information on 57 million Uber users and drivers. Specifically damaging was the 600,000 driver’s license numbers that belonged to Uber Drivers. During this time, the hackers contacted Joseph Sullivan, Uber’s Chief Security Officer, and in a twist to the plot of most ransomware cases, demanded $100,000 from Sullivan in exchange for silence about the data breach. Allegedly, Sullivan framed the ransom as a “bug bounty” payment for finding flaws in UBER security and software devices. To enforce their promised silence for the payment, Sullivan, according to the government complaint, asked them to sign NDAs that were false as to the possession of the data they stole – the hackers already had it even though the NDA said otherwise.
To make matters worse for Sullivan, he had previously testified to the FTC, who was investigating a 2014 breach of Uber that corrective action had been taken by Uber as to data storage, which it, in fact, had not. The course of the FTC investigation took three years to complete, well after the 2016 breach occurred. Only a very select few members of Sullivan’s team and Uber legal counsel knew about the 2016 breach and how it was purportedly handled. It was not until 2017, when Uber’s new CEO found out about the breach which was already revealed to the FTC around that same time frame. Shortly thereafter, Glover and Mereacre pled guilty to hacking and stealing information from other companies after the Uber attack. If I had to guess, I’d say that Glover and Mereacre became very cooperative witnesses for the government against Sullivan in 2018 and 2019, because a Grand Jury, in 2020, indicted Sullivan on Obstruction of Proceedings and Misprision of a Felony (failure to report to authorities).
Finally, this week, the Sullivan matter is set for criminal trial in the United States District Court, Northern District of California. The defense filed a motion, which was decided last week to exclude various evidence the government is expected to introduce at trial, specifically the guilty pleas of Glover and Mereacre, some of the statements they made to authorities surrounding the 2016 events and also expert witness testimony on bug bounties. The trial judge denied most of the motion and reserved judgment on some specific points until trial.
There are several weird nuances to this case that may be even considered teaching points. Criminal cyber intrusion cases move slow most of the time due to the difficulty of locating hackers and bringing them to court; in this case waiting for them to go to trial before putting the hammer down on Sullivan made this axiom indirectly true. One may never know where your best witness will come from. It is not every day you see a hacker testify in a criminal proceeding against a Chief of Information Security. Secondly, NDAs really work better when dealing with legal activities. Finally, do not try to dress up a ransom and take it to the prom disguised as a bug bounty. Your popularity with the crowd will be fleeting.