`
`AO 91 (Rev. 11/11) Criminal Complaint
`
`UNITED STATES DISTRICT COURT
`for the
`__________ District of __________
`
`Case No. 3-20-71168 JCS
`
`)))))))
`
`United States of America
`v.
`
`Defendant(s)
`
`CRIMINAL COMPLAINT
`
`I, the complainant in this case, state that the following is true to the best of my knowledge and belief.
`On or about the date(s) of
`in the county of
`District of
`, the defendant(s) violated:
`
`in the
`
`Code Section
`
`Offense Description
`
`This criminal complaint is based on these facts:
`
`’ Continued on the attached sheet.
`
`/s/
`Approved as to form ____________________
`AUSA Andrew Dawson
`
`Sworn to before me by telephone.
`
`Date:
`
`City and state:
`
`Complainant’s signature
`
`Printed name and title
`
`Judge’s signature
`
`Printed name and title
`
`Northern District of California
`
`JOSEPH SULLIVAN
`
`Nov. 15, 2016 to Nov. 21, 2017
`
`San Francisco and elsewhere
`
`Northern
`
`California
`
`18 U.S.C. § 1505
`
`18 U.S.C. § 4
`
`Count One: Obstruction of Justice
`Max. Penalties: 5 years in prison; $250,000 fine; 3 years of supervised
`release; $100 special assessment; restitution; forfeiture
`
`Count Two: Misprision of a Felony
`Max. Penalties: 3 years in prison; $250,000 fine; 1 year of supervised
`release; $100 special assessment; restitution; forfeiture
`
`The attached affidavit of FBI Special Agent Mario C. Scussel.
`
`4
`
`s/
`
`Mario C. Scussel, SA FBI
`
`08/19/2020
`
`San Francisco, California
`
`Hon. Joseph Spero, U.S. Magistrate Judge
`
`Attach
`
`
`Save As...
`
`Reset
`
`FILED
`
`SUSANY. SOONG
`CLERK, U.S. DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN FRANCISCO
`
`Aug 20 2020
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 2 of 20
`
` AFFIDAVIT OF SPECIAL AGENT MARIO C. SCUSSEL IN SUPPORT OF
`CRIMINAL COMPLAINT
`
`I, Mario C. Scussel, a Special Agent of the Federal Bureau of Investigation, being duly
`
`
`
`
`OVERVIEW AND AGENT BACKGROUND
`
`sworn, hereby declare as follows:
`I.
`I make this affidavit in support of a two-count Criminal Complaint against
`
`1.
`JOSEPH SULLIVAN (hereinafter SULLIVAN):
`a. Count One: Obstruction of Justice, in violation of 18 U.S.C. § 1505;
`b. Count Two: Misprision of a Felony, in violation of 18 U.S.C. § 4.
`For the reasons set forth below, I believe there is probable cause to believe SULLIVAN has
`
`committed each of the foregoing violations of federal law.
`2.
`my training and experience, information from records and databases, and information obtained
`
`The statements contained in this affidavit come from my personal observations,
`
`from other agents and witnesses. This affidavit summarizes such information in order to show
`
`that there is probable cause to believe that SULLIVAN has committed the violations listed
`
`above. This affidavit does not purport to set forth all of my knowledge about this matter, or to
`
`name all of the persons who participated in these crimes.
`3.
`been so employed for approximately 12 years. I am currently assigned to the Complex Financial
`
`I am a Special Agent of the Federal Bureau of Investigation (“FBI”) and have
`
`Crime Squad of FBI’s San Francisco Field Division. As part of my assigned duties, I investigate
`
`possible violations of federal criminal law, specifically investigations involving white collar
`
`crimes. I successfully completed 21 weeks of New Agent Training at the FBI Academy in
`
`Quantico, Virginia in January 2009. During that time, I received training in legal statutes and
`
`procedures, financial investigations, money laundering techniques, asset identification, forfeiture
`
`
`
`1
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 3 of 20
`
`and seizure, physical surveillance, confidential source management, and electronic surveillance
`
`techniques.
`4.
`victims, and subjects; conducted physical surveillance, executed search warrants and arrests;
`
`During my employment with the FBI, I have conducted interviews of witnesses,
`
`reviewed evidence and documents; transported evidence, and prisoners. Prior to my employment
`
`as a Special Agent, I also worked for the FBI, as an Investigative Specialist conducting
`
`surveillance operations for Counterintelligence and Counterterrorism investigations. I earned a
`
`Master’s Degree in Business Administration from the University of California at Berkeley –
`
`Haas Business School as well as Master of Arts and a Bachelor of Arts Degrees in Psychology
`
`from Stanford University.
`
`II.
`Title 18, United States Code, Section 1505 provides: “Whoever corruptly, or by
`
`5.
`threats or force, or by any threatening letter or communication influences, obstructs, or impedes
`
`APPLICABLE LAW
`
`or endeavors to influence, obstruct, or impede the due and proper administration of the law under
`
`which any pending proceeding is being had before any department or agency of the United
`
`States, or the due and proper exercise of the power of inquiry under which any inquiry or
`
`investigation is being had by either House, or any committee of either House or any joint
`
`committee of the Congress—Shall be fined under this title, imprisoned not more than 5 years or,
`
`if the offense involves international or domestic terrorism (as defined in section 2331),
`
`imprisoned not more than 8 years, or both.”
`6.
`the term ‘corruptly’ means acting with an improper purpose, personally or by influencing
`
`Title 18, United States Code, Section 1515(b) provides: “As used in section 1505,
`
`another, including making a false or misleading statement, or withholding, concealing, altering,
`
`or destroying a document or other information.”
`7.
`
`Title 18, United States Code, Section 4 provides: “Whoever, having knowledge of
`2
`
`
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 4 of 20
`
`the actual commission of a felony cognizable by a court of the United States, conceals and does
`
`not as soon as possible make known the same to some judge or other person in civil or military
`
`authority under the United States, shall be fined under this title or imprisoned not more than
`
`three years, or both.”
`
`III.
`
`FACTS SUPPORTING PROBABLE CAUSE
`
`A. Summary
`SULLIVAN is a 52-year-old male, living in Palo Alto, CA. Between
`8.
`approximately April 2015 and November 2017, SULLIVAN served as Chief Security Officer for
`
`Uber Technologies Inc. (“Uber”). During his tenure, SULLIVAN assisted in overseeing Uber’s
`
`response to a Federal Trade Commission (“FTC”) investigation into Uber’s data security
`
`practices. That investigation had been triggered, in part, by a data breach suffered by Uber in
`
`approximately 2014.
`9.
`participated in conference calls with FTC attorneys; reviewed Uber’s submissions to the FTC;
`
`In the course of Uber’s response to the FTC’s investigation, SULLIVAN
`
`gave a presentation to FTC staff in Washington, D.C.; and sat for a sworn investigative hearing
`
`similar to a deposition. SULLIVAN was therefore intimately familiar with the nature and scope
`
`of the FTC’s investigation, and he held himself out as familiar with that investigation.
`
`Nevertheless, when SULLIVAN learned that Uber’s systems had been hacked in approximately
`
`November 2016—approximately ten days after SULLIVAN had provided sworn testimony to
`
`the FTC—SULLIVAN engaged in a scheme to withhold and conceal from the FTC both the
`
`hack itself and the fact that the data breach had resulted in the hackers obtaining millions of
`
`records associated with Uber’s users and drivers. When Uber brought in a new CEO in 2017,
`
`SULLIVAN lied to him about the circumstances surrounding that data breach. Uber’s new
`
`management ultimately disclosed the breach to the FTC in November 2017, explaining that the
`
`hackers had obtained the names and driver’s license numbers of approximately 600,000 Uber
`3
`
`
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 5 of 20
`
`drivers and some personal information associated with 57 million Uber users and drivers.
`
`SULLIVAN’s employment was terminated by Uber at approximately the same time.
`10.
`reflect that SULLIVAN instructed his team to keep knowledge of the 2016 Breach tightly
`
`In sum, business records generated in the course of the response to the breach
`
`controlled. Witnesses reported SULLIVAN was visibly shaken by the events. A witness also
`
`reported that SULLIVAN stated in a private conversation that he could not believe they had let
`
`another breach happen and that the team had to make sure word of the breach did not get out.
`
`SULLIVAN instructed the team that knowledge of the breach was to be disclosed outside the
`
`security team only on a need-to-know basis and the company was going to treat the incident
`
`under its “bug bounty” program. Bug bounty programs are designed to incentivize white-hat
`
`hackers, or “researchers,” to identify security vulnerabilities by offering a monetary reward in
`
`exchange for such efforts. However, the terms and conditions of Uber’s bug bounty program
`
`did not authorize rewarding a hacker who had accessed and obtained personally identifiable
`
`information of users and drivers from Uber-controlled systems. Nevertheless, Uber arranged for
`
`its bug bounty vendor to pay the hackers $100,000, which at the time was by far the largest
`
`bounty that Uber had ever paid through the program.
`11.
`agreements (“NDAs”) in exchange for the $100,000 bounty payment that would supplement the
`
`SULLIVAN further insisted that the hackers agree to sign non-disclosure
`
`standard terms of Uber’s bug bounty program. Such a supplemental NDA was not a typical
`
`component of a bug bounty claim, and witnesses I have interviewed do not recall Uber requiring
`
`a supplemental NDA in any other bug bounty claim. Moreover, the NDA SULLIVAN
`
`authorized falsely represented that the hackers had not obtained or stored any data during their
`
`intrusion. Both the hackers and SULLIVAN knew at the time that this representation in the
`
`NDA was false. This misrepresentation concealed the fact that the hackers had, in fact, stolen
`
`data, thereby falsely giving the incident the appearance of a typical bug bounty claim rather than
`4
`
`
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 6 of 20
`
`a data breach. The hackers’ ransom was paid in December 2016 via bitcoin, even though the
`
`hackers by that time had refused to sign the NDAs in their true names and had not yet been
`
`identified by Uber. Uber’s staff continued to work on identifying the hackers and were able to
`
`eventually identify them in January 2017, at which point SULLIVAN dispatched security staff to
`
`interview both hackers and obtain signed NDAs from them in their true names. The true-identity
`
`NDAs continued to include the claim that SULLIVAN, Uber, and the hackers knew to be false:
`
`that the hackers had not taken data from Uber.
`12.
`Uber’s C.E.O. at the time, had no contemporaneous knowledge of the details of the data breach
`
`Records further indicate Uber’s management team, with the sole exception of
`
`and had no role in the decision to treat the breach under the Bug Bounty program.
`13.
`respond to the FTC’s inquiries. For example, in December 2016, SULLIVAN was aware that
`
`In the months following the data breach, Uber and SULLIVAN continued to
`
`Uber was preparing to provide an update to the FTC about employee access to personally
`
`identifying information. Nevertheless, SULLIVAN never informed the FTC of the 2016 data
`
`breach, even though he was aware that the FTC’s investigation focused on data security, data
`
`breaches, and protection of PII. In addition, witness interviews indicate that SULLIVAN did not
`
`inform the Uber attorneys working on the FTC investigation—either in-house or outside
`
`counsel—that the breach had occurred.
`14.
`months later, Uber disclosed the 2016 data breach publicly, apologizing for the failure to do so
`
`In approximately August 2017, Uber named a new Chief Executive Officer. Two
`
`promptly. Uber fired SULLIVAN and a security attorney assigned to his team.
`B. The Federal Trade Commission Investigation
`In February 2015, Uber informed the FTC that it had suffered a data breach in
`15.
`September 2014 (“the 2014 Breach”). The FTC subsequently began investigating the
`
`circumstances of the 2014 Breach, gathering information via document requests and
`5
`
`
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 7 of 20
`
`interrogatories contained in Civil Investigative Demands. Uber was in frequent contact with the
`
`FTC via outside counsel, sharing information on a proactive basis and in response to both formal
`
`and informal inquiries from FTC staff.
`a. 2014 Data Breach
`According to Uber’s disclosures to the FTC, the 2014 Breach occurred when an
`16.
`outsider was able to gain access to data Uber stored on an Amazon Web Services (“AWS”)
`
`platform known as S3. The outsider located an AWS access ID and secret key in software code
`
`posted to GitHub, which is a web-based platform used by software developers to store and share
`
`code. The outsider then used that access ID and secret key to gain access to Uber’s data. Uber
`
`later determined the file accessed by the outsider contained enough information to allow a user to
`
`match names and drivers’ license numbers of approximately 50,000 drivers. According to
`
`Uber’s disclosures, the database was not encrypted.
`b. First Civil Investigative Demand
`On May 21, 2015, the FTC issued a Civil Investigative Demand (“CID”).
`17.
`Included in the CID were four interrogatories, each with various subparts. The fourth
`
`interrogatory required Uber to provide, “[w]ith respect to any Breach or suspected breach,” a
`
`variety of information including:
`• “When and how the Company learned of the breach,”
`
`• “The location, type(s), and amount(s) of Personal Information that unauthorized
`person(s) could have accessed or viewed,”
`
`
`
`• “The location, type(s), and amount(s) of Personal Information that the
`unauthorized person(s) did copy, download, or remove”; and
`
`• “[W]hen and . . . how the Company notified Consumers, law enforcement, and
`other third parties about the Breach.”
`
`6
`
`
`
`
`
`
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 8 of 20
`
`18.
`or to Personal Information in the Company’s file(s), including but not limited to the unauthorized
`
`The CID defined “breach” as “unauthorized access into the Company’s systems
`
`access to the Company’s database(s) that took place on or around May 12, 2014 [the 2014 Data
`
`Breach].” “Personal Information” was defined broadly as “individually identifiable information
`
`from or about an individual Consumer,” specifically including “a driver’s license . . . or other
`
`personal identification number.” The applicable time period was defined as “from January 1,
`
`2014, until the date of full and complete compliance with this CID.”
`c. SULLIVAN’s Role in the FTC Investigation
`On September 25, 2015, Uber provided a set of interrogatory responses which
`19.
`explained its use of Amazon’s S3 platform. The responses disclosed that SULLIVAN and one of
`
`his direct reports “supervised the preparation of Uber’s response to this CID.” The response
`
`explained that “Uber’s Amazon S3 datastore is divided into 101 buckets,” and these buckets
`
`could be divided into three types: (1) application logs; (2) static files; and (3) other buckets,
`
`which included “storage of database backups and database prunes . . . .” As to the storage of
`
`“database backups and database prunes,” Uber explained that a “complete database backup” is
`
`“retained to allow service restoration in the event of system failure,” while a “database prune” is
`
`a “snapshot containing limited data used to realistically simulate the production environment for
`
`purposes of development and testing . . . .” Uber further stated that beginning in August 2014,
`
`all new database backup files were encrypted.
`d. SULLIVAN’s FTC Testimony
`On June 10, 2016, the FTC issued a second CID, which required Uber to
`20.
`designate an officer to provide sworn testimony on a variety of topics. As a focus among these
`
`topics, the FTC compelled testimony on a variety of issues related to S3, Uber’s use of
`
`encryption, and Uber’s retention of personally identifying information (“PII”). Uber designated
`
`SULLIVAN as its witness, and he was prepared extensively for the hearing by both in-house and
`7
`
`
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 9 of 20
`
`outside counsel, over the course of approximately four days which spanned several weeks, with
`
`meetings ranging from an hour to an entire day.
`21.
`investigation was focused in large part on Uber’s use of S3 and its implications for data privacy.
`
`The hearing took place on November 4, 2016. By this time, the FTC’s
`
`SULLIVAN testified that he understood that the 2014 Breach, which predated SULLIVAN’s
`
`employment at Uber, involved an Amazon Web Services access ID that had been inadvertently
`
`posted publicly on GitHub. That ID gave an outsider access to Uber’s data. SULLIVAN
`
`elaborated that it was common at the time to write access IDs and other secrets directly into code
`
`when that code needed to call for information from another service. This practice had
`
`implications when code was exposed to outsiders, because the code itself would give them
`
`access to Uber’s data. SULLIVAN explained that “key management”—that is, ensuring secret
`
`keys are not exposed to bad actors—“is always an important part of an overall security program
`
`for any company.”
`22.
`was asked about Uber’s statement in an interrogatory response that all new database backup files
`
`SULLIVAN also testified about Uber’s storage of database backups in AWS. He
`
`had been encrypted as of August 2014, and he testified in detail about the weaknesses in
`
`Amazon’s native encryption functions and the fact that encryption became much more important
`
`as companies began moving to cloud-based infrastructure. SULLIVAN never contested that the
`
`2014 Breach was a data breach and, in fact, acknowledged that.
`C. The 2016 Breach and Cover-Up
`Approximately ten days after SULLIVAN’s testimony, he learned that Uber’s
`23.
`AWS S3 datastore had been breached again. On November 14, 2016, SULLIVAN received an
`
`email from “johndoughs@protonmail.com” claiming to have found a “major vulnerability in
`
`uber,” and that “I was able to dump uber database and many other things.”
`
`
`
`8
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 10 of 20
`
`24.
`approximately a day, the security team realized an unauthorized person or persons had accessed
`
`At SULLIVAN’s direction, Uber’s security team began an investigation. Within
`
`AWS and obtained, among other things, a copy of a database containing approximately 600,000
`
`drivers’ license numbers for Uber drivers. Based on documents I have reviewed and witness
`
`interviews I have conducted, within approximately the same time period SULLIVAN became
`
`aware the attackers had accessed AWS in almost the identical manner the 2014 attacker had
`
`used. That is, the attackers were able to access Uber’s source code on GitHub (this time by using
`
`stolen credentials), locate an AWS credential, and use that credential to download Uber’s data.
`25.
`of this information. The response team generated a shared document referred to as the Preacher
`
`Contemporaneous documentation reflects SULLIVAN understood the sensitivity
`
`Central Tracker (“the Tracker”), which was used to record progress in the investigation and tasks
`
`assigned to various team members. In an update dated November 14, the Tracker stated:
`
`access key has not be rotated [sic] since [it was created in 2013]. None of the people are
`at the company any longer. Task was to rotate keys within S3 to ensure this could not
`happen in the future but there are thousands of tasks. Joe was just deposed on this
`specific topic and what the best or minimum practices that any company should follow in
`this area.
`Based on the context within the Tracker and my review of the transcript of
`26.
`SULLIVAN’s testimony, I believe the reference to “Joe was just deposed” refers to
`
`SULLIVAN’s testimony to the FTC. The comment demonstrates that the similarity and
`
`connection between the 2014 Breach and the 2016 Breach was apparent to the response team at
`
`an early phase.
`27.
`breach confidential:
`
`A later update recorded in the Tracker reflected the need to keep news of the
`
`Information is extremely sensitive and we need to keep this tightly controlled.
`Discussion with other Engineers must be tightly controlled. Joe is communicating
`directly to the A-Team.
`
`
`
`9
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 11 of 20
`
`28.
`management team within Uber, representing the C.E.O.’s direct reports. SULLIVAN was a
`
`Based on my investigation, I believe the term “A-Team” refers to the executive
`
`member of the A-Team. Based on my investigation and interviews with other management team
`
`members, I believe that contrary to the representation in the Tracker, only the C.E.O. and
`
`SULLIVAN had contemporaneous knowledge of the details of the 2016 Breach, including that
`
`drivers’ license numbers had been stolen.
`29.
`records, required that engineers within the company take a variety of steps to lock down Uber’s
`
`Uber’s response to the breach, as reflected in the Tracker and other business
`
`data and prevent further access by the hackers. The Tracker contained the following guidance on
`
`how to justify such broad action without disclosing the nature of the 2016 Breach more widely
`
`within the company:
`
`What is our position to the company to talk about what we are doing? We had a data
`breach in 2014, we learned our lesson and we need to get our house in order. Hundred
`service centers must rotate their secrets. Our common story has to be:
`
`- This investigation does not exist.
`
`- We are doing this in order to better protect our information.
`
`D. Bug Bounty and Non-Disclosure Agreements
`The hackers made clear early in their email correspondence with Uber that they
`30.
`expected a six-figure payout. Email and text correspondence demonstrate that SULLIVAN and
`
`others considered using Uber’s bug bounty program to pay the hackers, even though that
`
`program had never awarded a bounty even close to $100,000 and had a nominal cap of $10,000.
`
`Moreover, Uber’s Hacker One policy terms contained language specifying that dumping user
`
`data from AWS did not comply with Uber’s policy:
`
`If you get access to an Uber server please report it us [sic] and we will reward you with
`an appropriate bounty taking into full consideration the severity of what could be done. . .
`. Using AWS access key to dump user info? Not cool.
`
`
`
`10
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 12 of 20
`
`31.
`approximately 1:00am Pacific time on November 15, 2016), SULLIVAN reached out to Uber’s
`
`Soon after learning drivers’ license numbers had potentially been exposed (at
`
`then-CEO via text message. At approximately 1:28am on November 15, SULLIVAN sent the
`
`following text:
`
`32.
`conversations via phone and/or FaceTime lasting approximately five minutes. At approximately
`
`Call records reflect that SULLIVAN and Uber’s then-CEO had a series of
`
`1:38am, the CEO responded:
`
`33.
`timestamps visible in the Tracker, I believe SULLIVAN was informing the CEO that outside
`
`Based on the timing and content of the text messages, compared with the
`
`hackers had potentially accessed Uber’s data, specifically approximately 600,000 drivers’ license
`
`numbers. The CEO’s response reflects that the prospect of treating the incident under the bug
`
`bounty program was already being discussed.
`34.
`sign non-disclosure agreements (“NDAs”). To the best of my knowledge, Uber had not
`
`SULLIVAN advised certain members of his team that the hackers would need to
`
`previously required a supplemental NDA in order to pay out a bug bounty claim, and
`
`SULLIVAN’s team began drafting a new contract. The primary author of the NDA was an
`
`attorney assigned to SULLIVAN’s group, but multiple individuals, including SULLIVAN, made
`
`edits over the course of the drafting process. The NDA forbade the hackers from disclosing
`
`“anything about the vulnerabilities or your dialogue with us to anyone for any purpose without
`
`our written permission. This includes any analysis or postmortem in any medium or forum.”
`
`
`
`11
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 13 of 20
`
`That gag provision stands in stark contrast with the standard terms of Uber’s bug bounty
`
`program at that time. Uber’s policy at that time contained a Frequently Asked Questions
`
`provision. One listed question was “Can I blog about my bug?” The answer:
`Yes, but we ask that you wait until the issue is both fixed and paid out before you
`publish the blog post. We also prefer that you request disclosure through
`HackerOne so that readers of your blog post can get the full background on the
`issue.
`
`35.
`section, which applied to the hackers: “You promise that you did not take or store any data
`
`The NDA also contained the following “promise,” under the “Your promises”
`
`during or through your research and that you have delivered to us or forensically destroyed all
`
`information about and/or analyses of the vulnerabilities.” Notwithstanding this “promise,”
`
`SULLIVAN and the hackers all knew that hackers had, in fact, already taken Uber’s data. In
`
`fact, the stolen data, and the risk that it could be publicly exposed or sold on the black market, is
`
`what gave the hackers leverage in demanding an unprecedented six-figure payout. But the
`
`language created the false impression to third parties, in the event the NDAs were ever publicly
`
`disclosed, that the hackers had complied with the terms of Uber’s bug bounty program and had
`
`never obtained copies of user or driver data.
`36.
`of the false language in the NDA, and he responded that the language would stay in the
`
`Prior to sending the NDAs to the hackers for signature, SULLIVAN was advised
`
`agreements. 1 Based on my experience in this investigation, I believe this false and misleading
`
`provision reflects SULLIVAN’s intent to conceal the truth of the 2016 Breach—namely, the
`
`theft of vast quantities of PII—the from the public, from law enforcement, and from the FTC.
`
`
`1 The witness who recalls this conversation initially asserted his rights under the Fifth Amendment and declined to
`be interviewed. He ultimately agreed to be interviewed pursuant to an agreement with the United States Attorney’s
`Office for the Northern District of California (“USAO”). In summary, the USAO agreed not to use any of the
`witness’s statements against him in exchange for his cooperation with the investigation.
`12
`
`
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 14 of 20
`
`37.
`provide their real names, Uber arranged to have Hacker One pay the agreed-upon bounty.
`
`The hackers initially signed the NDAs using pseudonyms. Despite their refusal to
`
`Payment was made on December 8, 2016. The next month, Uber personnel were able to identify
`
`two individuals responsible for the breach. Uber approached them, interviewed them, and
`
`arranged for them to sign fresh copies of the NDAs in true name.
`E. Resolving the FTC Investigation
`In the months following the breach, Uber and SULLIVAN continued to respond
`38.
`to the FTC’s investigation, but SULLIVAN never disclosed the 2016 Breach to the Uber
`
`personnel working on that response. For example, on December 20, 2016, SULLIVAN received
`
`by email a copy of a draft set of supplemental interrogatory responses, sent by the in-house
`
`attorney responsible for managing the FTC investigation. Language in those responses claimed
`
`once again that “all new database backup files” had been encrypted since August 2014.
`
`SULLIVAN responded “I think for FTC we can could present a pretty compelling narrative
`
`given how much we have done.” He did not disclose in the email, or in any other
`
`communications with the in-house attorney of which I am aware, that Uber had suffered another
`
`data breach in the weeks preceding the interrogatory responses.
`39.
`to the FTC requesting that the FTC close its investigation into Uber. The cover email, to which
`
`In or about April 2017, SULLIVAN received a draft letter Uber planned to send
`
`the draft of the letter was attached, contained the following summary of the letter:
`we argue (1) Uber’s record of cooperation and engagement with FTC staff over the last
`28 months has been exemplary; (2) even before the receipt of compulsory process, Uber
`came forward to provide information on a voluntary basis and has provided exhaustive
`information to staff; and (3) the data security incidents at issue reflect no misdirected
`priorities, no failure to appreciate risks, and no lack of security knowledge or care.
`
`
`
`13
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 15 of 20
`
`The cover email again made no mention of the 2016 data breach. SULLIVAN responded:
`
`“Letter looks ok to me. Thanks.” 2
`
`40.
`
`Uber sent the finalized letter to the FTC on April 19, 2017. The letter argued that
`
`Uber:
`
`has cooperatively provided information and has also prepared exhaustive interrogatory
`responses, produced documents, conducted telephonic and in-person briefings through
`inside and outside counsel on myriad topics, conducted an in-person briefing by senior
`members of its data security team, sat for an investigational hearing, repeated
`explanations of processes and systems when staff handing the investigation changed, and
`responded to follow-up questions from DPIP staff on multiple occasions. No request to
`Uber from staff is open or unanswered.
`
`41.
`had deployed to the S3 datastore:
`
`Since the time of the [2014 data breach], now almost three years ago, Uber has
`put in place numerous and extensive additional protections for the data it stores in
`the S3 datastore, as well as company-wide improvements in credential protection
`and management and other aspects of data security. . . . Uber described these
`improved and updated practices extensively in the course of this investigation.
`Uber relied on these supposed improvements in arguing that the FTC should not
`
`In addition, Uber highlighted what it claimed were significant new protections it
`
`42.
`bring a claim against the company, arguing that Uber had become a more sophisticated company
`
`since 2014. Similarly, Uber argued that the industry at large had become more adept since 2014
`
`at protecting private data in the cloud, and that Uber should not be judged for “what a company
`did then (back when the company was much smaller and the technology at issue was evolving)
`according to the standards that the agency thinks are appropriate now (given the current
`sophistication of the company and current industry best practices).” Uber made these arguments
`
`via letter in April 2017, approximately five months after the 2016 Breach.
`
`
`2 While I have been able to review portions of the cover email, as quoted above, Uber has asserted the attorney-
`client privilege over most of the contents of the draft letter itself. As noted in subsequent paragraphs, I have
`reviewed the letter that Uber ultimately sent to the FTC requesting that the investigation be closed.
`14
`
`
`
`
`
`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 16 of 20
`
`43.
`for drafting the April 19 letter to the FTC had been made aware of the 2016 data breach.3
`
`Based on my investigation, I do not believe that any of the individuals responsible
`
`SULLIVAN was consulted on the letter in its draft form, but he withheld knowledge of the
`
`breach from others within Uber who were in a position to disclose that information to the FTC.
`F. Scrutiny from New Management
`In September 2017, SULLIVAN was asked to brief Uber’s new CEO on the 2016
`44.
`incident. SULLIVAN asked his team to prepare a summary, which they did. After receiving
`
`that summary, however, SULLIVAN removed certain details from the summary that would have
`
`illustrated the true scope of the breach. SULLIVAN’s changes resulted in both affirmative
`
`misrepresentations and misleading omissions of fact. In my training and experience, these
`
`changes demonstrate SULLIVAN’s ongoing intent to obstruct the FTC (which had not yet fully
`
`resolved its investigation) and his consciousness of guilt regarding his actions.
`45.
`disclosed that the hackers had gained acc