Hacker News new | past | comments | ask | show | jobs | submit login
Former Uber Chief Security Officer to Face Wire Fraud Charges (justice.gov)
140 points by sofixa 4 days ago | hide | past | favorite | 47 comments

Some "Reply All" podcast episodes that suspect, then later confirm the breach and Uber straight up lying about it when asked.




RIP that podcast. It's not the same show anymore.

It’s been on my todo list to listen to it. What happened? Did it sell?

> In early 2021, the podcast began releasing a series of episodes called "The Test Kitchen", which covered allegations of structural racism and a toxic work environment at the food magazine Bon Appétit. After the second episode aired, accusations came out about similar toxicity present in Reply All and Gimlet as a whole. On February 17, 2021, both Vogt and Pinnamaneni announced they were leaving the show.


> “If Mr. Sullivan had immediately reported the breach—instead of misleading the government by withholding information—the FBI could have been better able to assist Uber; also, the data breach of at least one additional large tech company may have been prevented,” said FBI Special Agent in Charge Fair.

Are there any hints about the other “large tech company” hit by the same hackers? To be transparent to the authorities is not always easy, but in this case, it could have prevented another attack :/

Yes, mentioned almost at the end:

> The separate guilty pleas entered by the hackers demonstrate that after Sullivan assisted in covering up the nature of the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity—Lynda.com—and attempt to ransom that data as well.

> Lynda.com

Couldn't have happened to a nicer company! (for those unaware, it was bought by LinkedIn shortly before the hack)

To be honest most of the C-Level of Uber seem super shady so I'm not surprised that he "allegedly" done this.

The new management "noped" out of this pretty quick when they found out about it. Even they found this too shady and, clearly, dangerous.

What was the upside of lying here? Seems like getting hacked is pretty common these days and I'm not surprised at all if some product I'm using tells me that they leaked my PII.

Why not just reveal the breach? Why risk going to jail just to avoid looking bad in your job? I don't think they would have even let him go because of this.

You know he was pulling down big $$'s and he is very high profile- with a breach like that it most likely would have put his job at jeopardy, not to mention its not going to look good on a resume.

Could be he thought that, but you know what looks better on the CV than a clean slate? A well-handled incident.

My money is on heavy peer pressure on this one.

I thought it was really interesting that Mr Sullivan is a former US Attorney. Surely he would have known he was putting himself in significant legal jeopardy, no?

Is he still the CSO for cloudlare?

Not sure why you would even take the risk of keeping on someone who was previously indicted by the Department of Justice if trust is of high value to your company.

Yes, according to LinkedIn

The one thing I haven't understood is just what the value was of the non-disclosure agreement he asked the hackers to sign? Even if you abstract away that they are hackers who illegally accessed your data, apparently they were first signed... before??... Uber knew their real identities? So, what on Earth would a signature on a piece of paper from random internet aliases possibly accomplish?

LOL. Imagine being such a corporatist that you end up going to jail to protect your employer.

"Uber’s new management ultimately discovered the truth about the breach and disclosed the breach publicly, and to the FTC, in November 2017."

This is so weird. Did the "old management" aka TK and Thuan Pham know about this and instruct that guy to pay $$$ and keep quiet? Sounds like it? Or did he pay the ransom secretly out of his own pocket?

So maybe it's someone else that should be held accountable and the "new management" is just throwing the CSO under the bus?

So, even in the US wiping your breaches under the carpet is no longer an option. The GDPR explicitly deals with this, unfortunately it still leaves some room for lawyering by not making explicit what a reportable breach is. Any breach should be a reportable breach, that would get rid of the gray area. But great to see the the justice department deal with this in a way that is responsible towards the victims of the breach, accountability of management is a good first step in the right direction.

It does:


"Personal data" is the threshold.

Yes. So the loophole is that if a company can plausibly claim that they didn't know any personal data was taken (for instance: by not having logs, which in practice leads quite often to 'hmmm, what if we no longer had logs') that they can pretend it didn't happen. Which of course is super dumb because if in due course it turns out that personal data was taken and that evidence was removed then you are really in trouble.

Which is why I'm arguing for reporting any breach, not with a threshold of type or quantity of data stolen. If you had a breach and you believe that no data was taken you should still be required to report it and if it turns out that you have made evidence of a breach disappear that should automatically trigger the worst penalties under the law.

Yes the Europeans are experiencing a lot less PII loss. lol.

Yes. The PII of all citizens of EU countries isn't leaked out there ( there have been country-wide breaches like in Bulgaria, but it's the exception), and when leaks do happen, people learn about them quickly and the companies get fined if they were at fault/handled it badly.

Oh, and EU PII is drastically less useful. Most countries in the EU have national ID systems, which are used and required for anything important ( like a new bank account or loan). A bad actor could still use PII for social engineering though.

this happened at Sinclair Broadcast Group as well, someone should investigate

I have a feeling companies in the US will have difficulty filling CISO roles without offering golden parachutes (which kick in if the CISO is let go after disclosing a breach) in future.

In cases of breaches there will often be commercial pressure in a company not to disclose (to avoid financial impact)

With personal criminal liability being a possibility for the CISO they are then placed in the position of disclose regardless of internal pressure (risking their job) or don't disclose (and risk criminal prosecution)

I recently interviewed for a CISO role with an explicit “no fault” separation and payout clause in the event of a breach that occurred and required reporting despite security best practices/efforts to avoid. It’s already a thing, and seems to be a given that the CISO is a sacrificial role.

Whistleblowers are protected from retaliation due to disclosure by law (they don't need to risk their job), I'm not sure a golden parachute would afford much extra protection.

I would argue the golden parachute is better, since it leaves both parties in a state of resolution. A whistleblower law may provide legal coverage but it is not difficult to imagine the social pressure being applied afterwards to someone who "stirs up a mess"

It’s worth a shot. I agree with you the laws are there not just in America but in a lot of countries. However the facts are fairly clear on the ground that whistleblowers suffer miserably. Then only some after an ungodly amount of time are hailed as hero’s.

That's one of the great parts of GDPR, disclosures are mandatory and DPOs are personally responsible for disclosure, so they have to do it regardless of internal pressure.


This case is setting ground work for just what and how far the FBI can pursue company employees based on how the companies handle a breach. It could have a bit impact on the tech sector.

Yes, it's highly relevant to any company that handles peoples' sensitive personal data. Here's an excerpt:

> “Institutions that store personal information of others must comply with the law,” said Acting U.S. Attorney Hinds. “When hacks like this occur, state law requires notice to victims. Federal law also requires truthful answers to official government inquiries. The indictment alleges that Sullivan failed to do either. We allege Sullivan falsified documents to avoid the obligation to notify victims and hid the severity of a serious data breach from the FTC, all to enrich his company.”

I hate the way HN hides comments like this. People should be allowed to see the idiocy of others, lest they be doomed to repeat it.

There's a setting in your profile to enable seeing flagged comments.

Tech company, computer security breach, paying off hackers, hiding from government.

Why would this not be on Hacker News?

Also, the link is directly to the indictment release from the relevant justice department; it’s not even a news, aggregator or “gossip” site.

This is the most egregious “why is this on HN” I’ve seen.

"If Mr. Sullivan had immediately reported the breach—instead of misleading the government by withholding information—the FBI could have been better able to assist Uber; also, the data breach of at least one additional large tech company may have been prevented,” said FBI Special Agent in Charge Fair. "

NOTE: So, if you are black-mailed by hackers and pay you now go to federal prison. The only way to play with the hackers is not work with the FBI (obviously). I understand the 'anti-uber hn hate' here, but wow, being attacked by hackers, then getting scared, playing along, paying out blackmailers, then going to federal prison? Wirefraud could be 20 years in federal prison. This guy is worse than a rapist? Not following.

Also. If the FBI wants to talk to you - get a lawyer, they have no interest in "assisting" you. They do enjoy posting your name on "www.justice.gov" to permanently destroy your career though. Never, ever, ever talk to the FBI

Wirefraud could be 20 years in federal prison. This guy is worse than a rapist?

Wire fraud that destroys someone's life savings (i.e. on the Madoff scale) can be arguably put in the same ball park as a sexual assault, in terms of net damage inflicted. Plus wire fraud has the potential to inflict damage on large numbers of people. So that's probably what the maximum penalty is motivated by. (Whether the maximum applies in this case is a separate matter).

Being attacked by hackers, then getting scared, playing along, paying out blackmailers, then going to federal prison?

What you're allegedly paid for as a CSO, or chief-anything of a large publicly traded company (and at a level astronomically higher than that of your rank-and-file muscle workers who you won't even dignify as "employees") is your awareness of the law (or at least the minimal sense to ask a lawyer), and your ability to not shit your pants in these situations -- but to act rationally.

"Can't do the time, don't do the C-level".

Does anyone else find it odd that often press releases are highly upvoted on HN (as opposed to a news article on the subject)? I understand it's source material, but the objectivity you will find in a press release is almost certainly less than you will find in a good news article.

Even for things like this, of broader interest and some controversy, the news articles often are just abridged versions of a press release, anyway.

Might was well get the full sack of horse shit from the original source, than half a sack from a secondary.

A news source will at least try to get the other side of things.

In a criminal case like this, the other side is unlikely to say anything very specific in their own defense, to avoid jeopardizing their case in court. So the press release is most of what a news outlet will have to go on.

It’s an indictment so it’s really the only (palatable) side available right now. The person indicted is unlikely to give a statement because anything they say could harm their defense. Their attorneys certainly will not speak in any substantive way. That leaves media outlets with options like ‘contact their grandma’ to try to get a statement.

Some journalists will try stuff like that, but that’s arguably worse than a press release.

This case has implications across the board for CISOs that have to deal with incidents like this. I believe this case also dealt with a payout for a "bug bounty".

It did.

If you're interested, the congress hearing is here. That hearing is still the primary source for this story. It's worth some time - some journalists have tried to cover this but mostly just cherrypicked quotes. The entire hearing is better than any of the coverage.


You can watch the hearing on that page (it's more interesting to watch than to read) or find links to the various witnesses and their testimony. For example, if you want to read John Flynn's testimony, it is available here (.pdf):

John Flynn - CISO @ Uber - https://www.commerce.senate.gov/services/files/7D70E53E-73E9...

At this point, the only real lesson for CISO's seems to be 'report'.

This isn't really a "press release" of the type that usually annoys me, this is the release of the indictment from the justice department involved. It's pretty detailed. I'm sure we'll get the balanced news at some point, but I'm sure even Uber (the new management mentioned in the release as having published the hack) will avoid getting involved in this other than to say something like "check the release, you'll see we co-operated as soon as we found out".

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact