For unforgettable computer

The Uber data breach cover-up: A timeline of events

When previous Uber CSO Joe Sullivan was charged earlier this thirty day period for his alleged position in the Uber information breach cover-up, it was the most current in a collection of events for the ride-sharing company that day back again to 2014.

Sullivan, who is at the moment CSO of Cloudflare, was charged with a single count of obstruction of justice and a single count of misprision of a felony in relationship with the Uber’s response to the 2016 information breach. Prosecutors claim he orchestrated the cover-up by paying out $100,000 in “hush revenue” to the threat actors driving the breach and disguising the payment as a bug bounty reward. The objective, according to the legal grievance in opposition to Sullivan, was to conceal the 2016 Uber breach from both the public and the U.S. Federal Trade Fee (FTC), which was investigating Uber above an earlier information breach.

The Uber information breach cover-up and the situation in opposition to Sullivan characteristic several vital dates and developments, according to courtroom files and statements from FTC. This is a glance at some of the significant dates:

Might 12, 2014: Danger actors entry individual information of Uber prospects and drivers contained in an AWS S3 bucket. The attackers made use of an AWS entry crucial that was publicly posted to GitHub and received information that involved 100,000 drivers’ names, driver’s license figures, actual physical addresses, email addresses and other information.

September 2014: Uber’s protection workforce discovers the intrusion and commences investigating the incident.

February 2015: Uber sends breach notifications to its drivers and also discloses the attack to the FTC, which commences an investigation into the incident.

April two, 2015: Uber hires Joe Sullivan as its initially CSO. Sullivan formerly served as Facebook’s CSO for five decades.

Nov. four, 2016: Sullivan presents sworn testimony to the FTC concerning its investigation into the 2014 breach, which predated his arrival at the company. Sullivan testified about Uber’s use of AWS S3 storage buckets, as very well as information privateness tactics to safeguard information saved in all those buckets.

Nov. fourteen, 2016: Sullivan gets an email from anonymous threat actors proclaiming they exploited a “significant vulnerability” and received entry to an Uber databases. Uber’s protection workforce investigates the claim and discovers attackers made use of stolen GitHub credentials to entry Uber’s non-public code repository, exactly where they discovered AWS credentials and accessed an S3 bucket with the databases.

Nov. fifteen, 2016: Sullivan contacts then-CEO Travis Kalanick about a “delicate” issue, according to records of textual content messages. Kalanick spoke with Sullivan and then sent a textual content concept talking about how the issue could be treated “as a [bug] bounty scenario.”

Dec. 8, 2016: Utilizing HackerOne’s bug bounty system, Uber authorizes a $100,000 payment to the threat actors driving the breach, who afterwards sign non-disclosure agreements concerning the incident.

January 2017: Uber’s protection workforce identifies the threat actors driving the breach.

April 19, 2017: Uber sends a letter to the FTC requesting the commission shut its investigation into the firm’s 2014 information breach. The letter states that Uber had completely cooperated with the FTC and delivered “exhaustive” responses to investigators’ inquiries, whilst also proclaiming Uber’s protection workforce had executed “several and in depth supplemental protections” for information saved in its S3 buckets to avoid a repeat of the 2014 incident. The letter does not disclose the 2016 breach.

June 21, 2017: Kalanick actions down as CEO of Uber subsequent a number of scandals.

Aug. fifteen, 2017: Uber and the FTC concur to a proposed settlement concerning the firm’s 2014 breach, as very well as statements that Uber workers had improperly accessed customers’ individual information. The settlement prohibits Uber from misrepresenting its protection tactics and calls for the company to implement a detailed privateness program and to bear third-celebration audits each two decades for the subsequent twenty decades.

Aug. 29, 2017: Uber names Dara Khosrowshahi as its new CEO.

September 2017: Sullivan is questioned to quick Khosrowshahi about the 2016 Uber information breach. However, according to courtroom files, Sullivan’s briefing omits crucial facts about the breach.

Nov. 21, 2017: In an open letter, Khosrowshahi discloses the 2016 breach with an apology for not disclosing the incident earlier. On the similar working day, Bloomberg initially reports that Sullivan and Craig Clark, a senior attorney on Sullivan’s workforce, have been fired for concealing the breach and paying out off the hackers.

April 12, 2018: The FTC announces it has withdrawn the proposed settlement with Uber concerning the 2014 information breach and criticizes the company for concealing the 2016 breach during its original investigation.

Might sixteen, 2018: Cloudflare hires Sullivan as its new CSO.

Aug. two, 2018: A grand jury indicts Brandon Charles Glover and Vasile Mereacre with tried extortion from Lynda.com (now LinkedIn Discovering), an on the internet work coaching and schooling provider. Glover and Mereacre are accused of gaining entry to ninety,000 Lynda accounts and demanding payment from LinkedIn in December 2016.

Sept. 26, 2018: Uber agrees to a settlement with the lawyers general of all fifty states and the District of Columbia concerning the 2016 information breach. Uber agrees to pay a history $148 million penalty for concealing the breach.

Oct. 26, 2018: The FTC approves a revised settlement with Uber. The company is matter to civil penalties for any failures to disclose long run breaches or protection incidents involving unauthorized entry to consumer and driver information.

Oct. thirty, 2019: The Section of Justice announces that Glover and Mereacre, then 26 and 23, every single pleaded responsible to conspiracy to dedicate extortion in a superseding indictment relevant to the Uber information breach. The two guys acknowledge Uber paid out them $100,000 through HackerOne underneath the guise of a bug bounty.

Aug. 21, 2020: Sullivan is charged with a single count of obstruction of justice and a single count of misprision of a felony. Authorities claim Sullivan included up the 2016 breach from the public and the FTC in an hard work to obstruct the FTC’s investigation into Uber’s protection tactics.