throbber
Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 1 of 20
`
`AO 91 (Rev. 11/11) Criminal Complaint
`
`UNITED STATES DISTRICT COURT
`for the
`__________ District of __________
`
`Case No. 3-20-71168 JCS
`
`)))))))
`
`United States of America
`v.
`
`Defendant(s)
`
`CRIMINAL COMPLAINT
`
`I, the complainant in this case, state that the following is true to the best of my knowledge and belief.
`On or about the date(s) of
`in the county of
`District of
`, the defendant(s) violated:
`
`in the
`
`Code Section
`
`Offense Description
`
`This criminal complaint is based on these facts:
`
`’ Continued on the attached sheet.
`
`/s/
`Approved as to form ____________________
`AUSA Andrew Dawson
`
`Sworn to before me by telephone.
`
`Date:
`
`City and state:
`
`Complainant’s signature
`
`Printed name and title
`
`Judge’s signature
`
`Printed name and title
`
`Northern District of California
`
`JOSEPH SULLIVAN
`
`Nov. 15, 2016 to Nov. 21, 2017
`
`San Francisco and elsewhere
`
`Northern
`
`California
`
`18 U.S.C. § 1505
`
`18 U.S.C. § 4
`
`Count One: Obstruction of Justice
`Max. Penalties: 5 years in prison; $250,000 fine; 3 years of supervised
`release; $100 special assessment; restitution; forfeiture
`
`Count Two: Misprision of a Felony
`Max. Penalties: 3 years in prison; $250,000 fine; 1 year of supervised
`release; $100 special assessment; restitution; forfeiture
`
`The attached affidavit of FBI Special Agent Mario C. Scussel.
`
`4
`
`s/
`
`Mario C. Scussel, SA FBI
`
`08/19/2020
`
`San Francisco, California
`
`Hon. Joseph Spero, U.S. Magistrate Judge
`
`Attach
`
`Print
`
`Save As...
`
`Reset
`
`FILED
`
`SUSANY. SOONG
`CLERK, U.S. DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN FRANCISCO
`
`Aug 20 2020
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 2 of 20
`
` AFFIDAVIT OF SPECIAL AGENT MARIO C. SCUSSEL IN SUPPORT OF
`CRIMINAL COMPLAINT
`
`I, Mario C. Scussel, a Special Agent of the Federal Bureau of Investigation, being duly
`
`
`
`
`OVERVIEW AND AGENT BACKGROUND
`
`sworn, hereby declare as follows:
`I.
`I make this affidavit in support of a two-count Criminal Complaint against
`
`1.
`JOSEPH SULLIVAN (hereinafter SULLIVAN):
`a. Count One: Obstruction of Justice, in violation of 18 U.S.C. § 1505;
`b. Count Two: Misprision of a Felony, in violation of 18 U.S.C. § 4.
`For the reasons set forth below, I believe there is probable cause to believe SULLIVAN has
`
`committed each of the foregoing violations of federal law.
`2.
`my training and experience, information from records and databases, and information obtained
`
`The statements contained in this affidavit come from my personal observations,
`
`from other agents and witnesses. This affidavit summarizes such information in order to show
`
`that there is probable cause to believe that SULLIVAN has committed the violations listed
`
`above. This affidavit does not purport to set forth all of my knowledge about this matter, or to
`
`name all of the persons who participated in these crimes.
`3.
`been so employed for approximately 12 years. I am currently assigned to the Complex Financial
`
`I am a Special Agent of the Federal Bureau of Investigation (“FBI”) and have
`
`Crime Squad of FBI’s San Francisco Field Division. As part of my assigned duties, I investigate
`
`possible violations of federal criminal law, specifically investigations involving white collar
`
`crimes. I successfully completed 21 weeks of New Agent Training at the FBI Academy in
`
`Quantico, Virginia in January 2009. During that time, I received training in legal statutes and
`
`procedures, financial investigations, money laundering techniques, asset identification, forfeiture
`
`
`
`1
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 3 of 20
`
`and seizure, physical surveillance, confidential source management, and electronic surveillance
`
`techniques.
`4.
`victims, and subjects; conducted physical surveillance, executed search warrants and arrests;
`
`During my employment with the FBI, I have conducted interviews of witnesses,
`
`reviewed evidence and documents; transported evidence, and prisoners. Prior to my employment
`
`as a Special Agent, I also worked for the FBI, as an Investigative Specialist conducting
`
`surveillance operations for Counterintelligence and Counterterrorism investigations. I earned a
`
`Master’s Degree in Business Administration from the University of California at Berkeley –
`
`Haas Business School as well as Master of Arts and a Bachelor of Arts Degrees in Psychology
`
`from Stanford University.
`
`II.
`Title 18, United States Code, Section 1505 provides: “Whoever corruptly, or by
`
`5.
`threats or force, or by any threatening letter or communication influences, obstructs, or impedes
`
`APPLICABLE LAW
`
`or endeavors to influence, obstruct, or impede the due and proper administration of the law under
`
`which any pending proceeding is being had before any department or agency of the United
`
`States, or the due and proper exercise of the power of inquiry under which any inquiry or
`
`investigation is being had by either House, or any committee of either House or any joint
`
`committee of the Congress—Shall be fined under this title, imprisoned not more than 5 years or,
`
`if the offense involves international or domestic terrorism (as defined in section 2331),
`
`imprisoned not more than 8 years, or both.”
`6.
`the term ‘corruptly’ means acting with an improper purpose, personally or by influencing
`
`Title 18, United States Code, Section 1515(b) provides: “As used in section 1505,
`
`another, including making a false or misleading statement, or withholding, concealing, altering,
`
`or destroying a document or other information.”
`7.
`
`Title 18, United States Code, Section 4 provides: “Whoever, having knowledge of
`2
`
`
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 4 of 20
`
`the actual commission of a felony cognizable by a court of the United States, conceals and does
`
`not as soon as possible make known the same to some judge or other person in civil or military
`
`authority under the United States, shall be fined under this title or imprisoned not more than
`
`three years, or both.”
`
`III.
`
`FACTS SUPPORTING PROBABLE CAUSE
`
`A. Summary
`SULLIVAN is a 52-year-old male, living in Palo Alto, CA. Between
`8.
`approximately April 2015 and November 2017, SULLIVAN served as Chief Security Officer for
`
`Uber Technologies Inc. (“Uber”). During his tenure, SULLIVAN assisted in overseeing Uber’s
`
`response to a Federal Trade Commission (“FTC”) investigation into Uber’s data security
`
`practices. That investigation had been triggered, in part, by a data breach suffered by Uber in
`
`approximately 2014.
`9.
`participated in conference calls with FTC attorneys; reviewed Uber’s submissions to the FTC;
`
`In the course of Uber’s response to the FTC’s investigation, SULLIVAN
`
`gave a presentation to FTC staff in Washington, D.C.; and sat for a sworn investigative hearing
`
`similar to a deposition. SULLIVAN was therefore intimately familiar with the nature and scope
`
`of the FTC’s investigation, and he held himself out as familiar with that investigation.
`
`Nevertheless, when SULLIVAN learned that Uber’s systems had been hacked in approximately
`
`November 2016—approximately ten days after SULLIVAN had provided sworn testimony to
`
`the FTC—SULLIVAN engaged in a scheme to withhold and conceal from the FTC both the
`
`hack itself and the fact that the data breach had resulted in the hackers obtaining millions of
`
`records associated with Uber’s users and drivers. When Uber brought in a new CEO in 2017,
`
`SULLIVAN lied to him about the circumstances surrounding that data breach. Uber’s new
`
`management ultimately disclosed the breach to the FTC in November 2017, explaining that the
`
`hackers had obtained the names and driver’s license numbers of approximately 600,000 Uber
`3
`
`
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 5 of 20
`
`drivers and some personal information associated with 57 million Uber users and drivers.
`
`SULLIVAN’s employment was terminated by Uber at approximately the same time.
`10.
`reflect that SULLIVAN instructed his team to keep knowledge of the 2016 Breach tightly
`
`In sum, business records generated in the course of the response to the breach
`
`controlled. Witnesses reported SULLIVAN was visibly shaken by the events. A witness also
`
`reported that SULLIVAN stated in a private conversation that he could not believe they had let
`
`another breach happen and that the team had to make sure word of the breach did not get out.
`
`SULLIVAN instructed the team that knowledge of the breach was to be disclosed outside the
`
`security team only on a need-to-know basis and the company was going to treat the incident
`
`under its “bug bounty” program. Bug bounty programs are designed to incentivize white-hat
`
`hackers, or “researchers,” to identify security vulnerabilities by offering a monetary reward in
`
`exchange for such efforts. However, the terms and conditions of Uber’s bug bounty program
`
`did not authorize rewarding a hacker who had accessed and obtained personally identifiable
`
`information of users and drivers from Uber-controlled systems. Nevertheless, Uber arranged for
`
`its bug bounty vendor to pay the hackers $100,000, which at the time was by far the largest
`
`bounty that Uber had ever paid through the program.
`11.
`agreements (“NDAs”) in exchange for the $100,000 bounty payment that would supplement the
`
`SULLIVAN further insisted that the hackers agree to sign non-disclosure
`
`standard terms of Uber’s bug bounty program. Such a supplemental NDA was not a typical
`
`component of a bug bounty claim, and witnesses I have interviewed do not recall Uber requiring
`
`a supplemental NDA in any other bug bounty claim. Moreover, the NDA SULLIVAN
`
`authorized falsely represented that the hackers had not obtained or stored any data during their
`
`intrusion. Both the hackers and SULLIVAN knew at the time that this representation in the
`
`NDA was false. This misrepresentation concealed the fact that the hackers had, in fact, stolen
`
`data, thereby falsely giving the incident the appearance of a typical bug bounty claim rather than
`4
`
`
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 6 of 20
`
`a data breach. The hackers’ ransom was paid in December 2016 via bitcoin, even though the
`
`hackers by that time had refused to sign the NDAs in their true names and had not yet been
`
`identified by Uber. Uber’s staff continued to work on identifying the hackers and were able to
`
`eventually identify them in January 2017, at which point SULLIVAN dispatched security staff to
`
`interview both hackers and obtain signed NDAs from them in their true names. The true-identity
`
`NDAs continued to include the claim that SULLIVAN, Uber, and the hackers knew to be false:
`
`that the hackers had not taken data from Uber.
`12.
`Uber’s C.E.O. at the time, had no contemporaneous knowledge of the details of the data breach
`
`Records further indicate Uber’s management team, with the sole exception of
`
`and had no role in the decision to treat the breach under the Bug Bounty program.
`13.
`respond to the FTC’s inquiries. For example, in December 2016, SULLIVAN was aware that
`
`In the months following the data breach, Uber and SULLIVAN continued to
`
`Uber was preparing to provide an update to the FTC about employee access to personally
`
`identifying information. Nevertheless, SULLIVAN never informed the FTC of the 2016 data
`
`breach, even though he was aware that the FTC’s investigation focused on data security, data
`
`breaches, and protection of PII. In addition, witness interviews indicate that SULLIVAN did not
`
`inform the Uber attorneys working on the FTC investigation—either in-house or outside
`
`counsel—that the breach had occurred.
`14.
`months later, Uber disclosed the 2016 data breach publicly, apologizing for the failure to do so
`
`In approximately August 2017, Uber named a new Chief Executive Officer. Two
`
`promptly. Uber fired SULLIVAN and a security attorney assigned to his team.
`B. The Federal Trade Commission Investigation
`In February 2015, Uber informed the FTC that it had suffered a data breach in
`15.
`September 2014 (“the 2014 Breach”). The FTC subsequently began investigating the
`
`circumstances of the 2014 Breach, gathering information via document requests and
`5
`
`
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 7 of 20
`
`interrogatories contained in Civil Investigative Demands. Uber was in frequent contact with the
`
`FTC via outside counsel, sharing information on a proactive basis and in response to both formal
`
`and informal inquiries from FTC staff.
`a. 2014 Data Breach
`According to Uber’s disclosures to the FTC, the 2014 Breach occurred when an
`16.
`outsider was able to gain access to data Uber stored on an Amazon Web Services (“AWS”)
`
`platform known as S3. The outsider located an AWS access ID and secret key in software code
`
`posted to GitHub, which is a web-based platform used by software developers to store and share
`
`code. The outsider then used that access ID and secret key to gain access to Uber’s data. Uber
`
`later determined the file accessed by the outsider contained enough information to allow a user to
`
`match names and drivers’ license numbers of approximately 50,000 drivers. According to
`
`Uber’s disclosures, the database was not encrypted.
`b. First Civil Investigative Demand
`On May 21, 2015, the FTC issued a Civil Investigative Demand (“CID”).
`17.
`Included in the CID were four interrogatories, each with various subparts. The fourth
`
`interrogatory required Uber to provide, “[w]ith respect to any Breach or suspected breach,” a
`
`variety of information including:
`• “When and how the Company learned of the breach,”
`
`• “The location, type(s), and amount(s) of Personal Information that unauthorized
`person(s) could have accessed or viewed,”
`
`
`
`• “The location, type(s), and amount(s) of Personal Information that the
`unauthorized person(s) did copy, download, or remove”; and
`
`• “[W]hen and . . . how the Company notified Consumers, law enforcement, and
`other third parties about the Breach.”
`
`6
`
`
`
`
`
`
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 8 of 20
`
`18.
`or to Personal Information in the Company’s file(s), including but not limited to the unauthorized
`
`The CID defined “breach” as “unauthorized access into the Company’s systems
`
`access to the Company’s database(s) that took place on or around May 12, 2014 [the 2014 Data
`
`Breach].” “Personal Information” was defined broadly as “individually identifiable information
`
`from or about an individual Consumer,” specifically including “a driver’s license . . . or other
`
`personal identification number.” The applicable time period was defined as “from January 1,
`
`2014, until the date of full and complete compliance with this CID.”
`c. SULLIVAN’s Role in the FTC Investigation
`On September 25, 2015, Uber provided a set of interrogatory responses which
`19.
`explained its use of Amazon’s S3 platform. The responses disclosed that SULLIVAN and one of
`
`his direct reports “supervised the preparation of Uber’s response to this CID.” The response
`
`explained that “Uber’s Amazon S3 datastore is divided into 101 buckets,” and these buckets
`
`could be divided into three types: (1) application logs; (2) static files; and (3) other buckets,
`
`which included “storage of database backups and database prunes . . . .” As to the storage of
`
`“database backups and database prunes,” Uber explained that a “complete database backup” is
`
`“retained to allow service restoration in the event of system failure,” while a “database prune” is
`
`a “snapshot containing limited data used to realistically simulate the production environment for
`
`purposes of development and testing . . . .” Uber further stated that beginning in August 2014,
`
`all new database backup files were encrypted.
`d. SULLIVAN’s FTC Testimony
`On June 10, 2016, the FTC issued a second CID, which required Uber to
`20.
`designate an officer to provide sworn testimony on a variety of topics. As a focus among these
`
`topics, the FTC compelled testimony on a variety of issues related to S3, Uber’s use of
`
`encryption, and Uber’s retention of personally identifying information (“PII”). Uber designated
`
`SULLIVAN as its witness, and he was prepared extensively for the hearing by both in-house and
`7
`
`
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 9 of 20
`
`outside counsel, over the course of approximately four days which spanned several weeks, with
`
`meetings ranging from an hour to an entire day.
`21.
`investigation was focused in large part on Uber’s use of S3 and its implications for data privacy.
`
`The hearing took place on November 4, 2016. By this time, the FTC’s
`
`SULLIVAN testified that he understood that the 2014 Breach, which predated SULLIVAN’s
`
`employment at Uber, involved an Amazon Web Services access ID that had been inadvertently
`
`posted publicly on GitHub. That ID gave an outsider access to Uber’s data. SULLIVAN
`
`elaborated that it was common at the time to write access IDs and other secrets directly into code
`
`when that code needed to call for information from another service. This practice had
`
`implications when code was exposed to outsiders, because the code itself would give them
`
`access to Uber’s data. SULLIVAN explained that “key management”—that is, ensuring secret
`
`keys are not exposed to bad actors—“is always an important part of an overall security program
`
`for any company.”
`22.
`was asked about Uber’s statement in an interrogatory response that all new database backup files
`
`SULLIVAN also testified about Uber’s storage of database backups in AWS. He
`
`had been encrypted as of August 2014, and he testified in detail about the weaknesses in
`
`Amazon’s native encryption functions and the fact that encryption became much more important
`
`as companies began moving to cloud-based infrastructure. SULLIVAN never contested that the
`
`2014 Breach was a data breach and, in fact, acknowledged that.
`C. The 2016 Breach and Cover-Up
`Approximately ten days after SULLIVAN’s testimony, he learned that Uber’s
`23.
`AWS S3 datastore had been breached again. On November 14, 2016, SULLIVAN received an
`
`email from “johndoughs@protonmail.com” claiming to have found a “major vulnerability in
`
`uber,” and that “I was able to dump uber database and many other things.”
`
`
`
`8
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 10 of 20
`
`24.
`approximately a day, the security team realized an unauthorized person or persons had accessed
`
`At SULLIVAN’s direction, Uber’s security team began an investigation. Within
`
`AWS and obtained, among other things, a copy of a database containing approximately 600,000
`
`drivers’ license numbers for Uber drivers. Based on documents I have reviewed and witness
`
`interviews I have conducted, within approximately the same time period SULLIVAN became
`
`aware the attackers had accessed AWS in almost the identical manner the 2014 attacker had
`
`used. That is, the attackers were able to access Uber’s source code on GitHub (this time by using
`
`stolen credentials), locate an AWS credential, and use that credential to download Uber’s data.
`25.
`of this information. The response team generated a shared document referred to as the Preacher
`
`Contemporaneous documentation reflects SULLIVAN understood the sensitivity
`
`Central Tracker (“the Tracker”), which was used to record progress in the investigation and tasks
`
`assigned to various team members. In an update dated November 14, the Tracker stated:
`
`access key has not be rotated [sic] since [it was created in 2013]. None of the people are
`at the company any longer. Task was to rotate keys within S3 to ensure this could not
`happen in the future but there are thousands of tasks. Joe was just deposed on this
`specific topic and what the best or minimum practices that any company should follow in
`this area.
`Based on the context within the Tracker and my review of the transcript of
`26.
`SULLIVAN’s testimony, I believe the reference to “Joe was just deposed” refers to
`
`SULLIVAN’s testimony to the FTC. The comment demonstrates that the similarity and
`
`connection between the 2014 Breach and the 2016 Breach was apparent to the response team at
`
`an early phase.
`27.
`breach confidential:
`
`A later update recorded in the Tracker reflected the need to keep news of the
`
`Information is extremely sensitive and we need to keep this tightly controlled.
`Discussion with other Engineers must be tightly controlled. Joe is communicating
`directly to the A-Team.
`
`
`
`9
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 11 of 20
`
`28.
`management team within Uber, representing the C.E.O.’s direct reports. SULLIVAN was a
`
`Based on my investigation, I believe the term “A-Team” refers to the executive
`
`member of the A-Team. Based on my investigation and interviews with other management team
`
`members, I believe that contrary to the representation in the Tracker, only the C.E.O. and
`
`SULLIVAN had contemporaneous knowledge of the details of the 2016 Breach, including that
`
`drivers’ license numbers had been stolen.
`29.
`records, required that engineers within the company take a variety of steps to lock down Uber’s
`
`Uber’s response to the breach, as reflected in the Tracker and other business
`
`data and prevent further access by the hackers. The Tracker contained the following guidance on
`
`how to justify such broad action without disclosing the nature of the 2016 Breach more widely
`
`within the company:
`
`What is our position to the company to talk about what we are doing? We had a data
`breach in 2014, we learned our lesson and we need to get our house in order. Hundred
`service centers must rotate their secrets. Our common story has to be:
`
`- This investigation does not exist.
`
`- We are doing this in order to better protect our information.
`
`D. Bug Bounty and Non-Disclosure Agreements
`The hackers made clear early in their email correspondence with Uber that they
`30.
`expected a six-figure payout. Email and text correspondence demonstrate that SULLIVAN and
`
`others considered using Uber’s bug bounty program to pay the hackers, even though that
`
`program had never awarded a bounty even close to $100,000 and had a nominal cap of $10,000.
`
`Moreover, Uber’s Hacker One policy terms contained language specifying that dumping user
`
`data from AWS did not comply with Uber’s policy:
`
`If you get access to an Uber server please report it us [sic] and we will reward you with
`an appropriate bounty taking into full consideration the severity of what could be done. . .
`. Using AWS access key to dump user info? Not cool.
`
`
`
`10
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 12 of 20
`
`31.
`approximately 1:00am Pacific time on November 15, 2016), SULLIVAN reached out to Uber’s
`
`Soon after learning drivers’ license numbers had potentially been exposed (at
`
`then-CEO via text message. At approximately 1:28am on November 15, SULLIVAN sent the
`
`following text:
`
`32.
`conversations via phone and/or FaceTime lasting approximately five minutes. At approximately
`
`Call records reflect that SULLIVAN and Uber’s then-CEO had a series of
`
`1:38am, the CEO responded:
`
`33.
`timestamps visible in the Tracker, I believe SULLIVAN was informing the CEO that outside
`
`Based on the timing and content of the text messages, compared with the
`
`hackers had potentially accessed Uber’s data, specifically approximately 600,000 drivers’ license
`
`numbers. The CEO’s response reflects that the prospect of treating the incident under the bug
`
`bounty program was already being discussed.
`34.
`sign non-disclosure agreements (“NDAs”). To the best of my knowledge, Uber had not
`
`SULLIVAN advised certain members of his team that the hackers would need to
`
`previously required a supplemental NDA in order to pay out a bug bounty claim, and
`
`SULLIVAN’s team began drafting a new contract. The primary author of the NDA was an
`
`attorney assigned to SULLIVAN’s group, but multiple individuals, including SULLIVAN, made
`
`edits over the course of the drafting process. The NDA forbade the hackers from disclosing
`
`“anything about the vulnerabilities or your dialogue with us to anyone for any purpose without
`
`our written permission. This includes any analysis or postmortem in any medium or forum.”
`
`
`
`11
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 13 of 20
`
`That gag provision stands in stark contrast with the standard terms of Uber’s bug bounty
`
`program at that time. Uber’s policy at that time contained a Frequently Asked Questions
`
`provision. One listed question was “Can I blog about my bug?” The answer:
`Yes, but we ask that you wait until the issue is both fixed and paid out before you
`publish the blog post. We also prefer that you request disclosure through
`HackerOne so that readers of your blog post can get the full background on the
`issue.
`
`35.
`section, which applied to the hackers: “You promise that you did not take or store any data
`
`The NDA also contained the following “promise,” under the “Your promises”
`
`during or through your research and that you have delivered to us or forensically destroyed all
`
`information about and/or analyses of the vulnerabilities.” Notwithstanding this “promise,”
`
`SULLIVAN and the hackers all knew that hackers had, in fact, already taken Uber’s data. In
`
`fact, the stolen data, and the risk that it could be publicly exposed or sold on the black market, is
`
`what gave the hackers leverage in demanding an unprecedented six-figure payout. But the
`
`language created the false impression to third parties, in the event the NDAs were ever publicly
`
`disclosed, that the hackers had complied with the terms of Uber’s bug bounty program and had
`
`never obtained copies of user or driver data.
`36.
`of the false language in the NDA, and he responded that the language would stay in the
`
`Prior to sending the NDAs to the hackers for signature, SULLIVAN was advised
`
`agreements. 1 Based on my experience in this investigation, I believe this false and misleading
`
`provision reflects SULLIVAN’s intent to conceal the truth of the 2016 Breach—namely, the
`
`theft of vast quantities of PII—the from the public, from law enforcement, and from the FTC.
`
`
`1 The witness who recalls this conversation initially asserted his rights under the Fifth Amendment and declined to
`be interviewed. He ultimately agreed to be interviewed pursuant to an agreement with the United States Attorney’s
`Office for the Northern District of California (“USAO”). In summary, the USAO agreed not to use any of the
`witness’s statements against him in exchange for his cooperation with the investigation.
`12
`
`
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 14 of 20
`
`37.
`provide their real names, Uber arranged to have Hacker One pay the agreed-upon bounty.
`
`The hackers initially signed the NDAs using pseudonyms. Despite their refusal to
`
`Payment was made on December 8, 2016. The next month, Uber personnel were able to identify
`
`two individuals responsible for the breach. Uber approached them, interviewed them, and
`
`arranged for them to sign fresh copies of the NDAs in true name.
`E. Resolving the FTC Investigation
`In the months following the breach, Uber and SULLIVAN continued to respond
`38.
`to the FTC’s investigation, but SULLIVAN never disclosed the 2016 Breach to the Uber
`
`personnel working on that response. For example, on December 20, 2016, SULLIVAN received
`
`by email a copy of a draft set of supplemental interrogatory responses, sent by the in-house
`
`attorney responsible for managing the FTC investigation. Language in those responses claimed
`
`once again that “all new database backup files” had been encrypted since August 2014.
`
`SULLIVAN responded “I think for FTC we can could present a pretty compelling narrative
`
`given how much we have done.” He did not disclose in the email, or in any other
`
`communications with the in-house attorney of which I am aware, that Uber had suffered another
`
`data breach in the weeks preceding the interrogatory responses.
`39.
`to the FTC requesting that the FTC close its investigation into Uber. The cover email, to which
`
`In or about April 2017, SULLIVAN received a draft letter Uber planned to send
`
`the draft of the letter was attached, contained the following summary of the letter:
`we argue (1) Uber’s record of cooperation and engagement with FTC staff over the last
`28 months has been exemplary; (2) even before the receipt of compulsory process, Uber
`came forward to provide information on a voluntary basis and has provided exhaustive
`information to staff; and (3) the data security incidents at issue reflect no misdirected
`priorities, no failure to appreciate risks, and no lack of security knowledge or care.
`
`
`
`13
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 15 of 20
`
`The cover email again made no mention of the 2016 data breach. SULLIVAN responded:
`
`“Letter looks ok to me. Thanks.” 2
`
`40.
`
`Uber sent the finalized letter to the FTC on April 19, 2017. The letter argued that
`
`Uber:
`
`has cooperatively provided information and has also prepared exhaustive interrogatory
`responses, produced documents, conducted telephonic and in-person briefings through
`inside and outside counsel on myriad topics, conducted an in-person briefing by senior
`members of its data security team, sat for an investigational hearing, repeated
`explanations of processes and systems when staff handing the investigation changed, and
`responded to follow-up questions from DPIP staff on multiple occasions. No request to
`Uber from staff is open or unanswered.
`
`41.
`had deployed to the S3 datastore:
`
`Since the time of the [2014 data breach], now almost three years ago, Uber has
`put in place numerous and extensive additional protections for the data it stores in
`the S3 datastore, as well as company-wide improvements in credential protection
`and management and other aspects of data security. . . . Uber described these
`improved and updated practices extensively in the course of this investigation.
`Uber relied on these supposed improvements in arguing that the FTC should not
`
`In addition, Uber highlighted what it claimed were significant new protections it
`
`42.
`bring a claim against the company, arguing that Uber had become a more sophisticated company
`
`since 2014. Similarly, Uber argued that the industry at large had become more adept since 2014
`
`at protecting private data in the cloud, and that Uber should not be judged for “what a company
`did then (back when the company was much smaller and the technology at issue was evolving)
`according to the standards that the agency thinks are appropriate now (given the current
`sophistication of the company and current industry best practices).” Uber made these arguments
`
`via letter in April 2017, approximately five months after the 2016 Breach.
`
`
`2 While I have been able to review portions of the cover email, as quoted above, Uber has asserted the attorney-
`client privilege over most of the contents of the draft letter itself. As noted in subsequent paragraphs, I have
`reviewed the letter that Uber ultimately sent to the FTC requesting that the investigation be closed.
`14
`
`
`
`

`

`Case 3:20-cr-00337-WHO Document 1 Filed 08/20/20 Page 16 of 20
`
`43.
`for drafting the April 19 letter to the FTC had been made aware of the 2016 data breach.3
`
`Based on my investigation, I do not believe that any of the individuals responsible
`
`SULLIVAN was consulted on the letter in its draft form, but he withheld knowledge of the
`
`breach from others within Uber who were in a position to disclose that information to the FTC.
`F. Scrutiny from New Management
`In September 2017, SULLIVAN was asked to brief Uber’s new CEO on the 2016
`44.
`incident. SULLIVAN asked his team to prepare a summary, which they did. After receiving
`
`that summary, however, SULLIVAN removed certain details from the summary that would have
`
`illustrated the true scope of the breach. SULLIVAN’s changes resulted in both affirmative
`
`misrepresentations and misleading omissions of fact. In my training and experience, these
`
`changes demonstrate SULLIVAN’s ongoing intent to obstruct the FTC (which had not yet fully
`
`resolved its investigation) and his consciousness of guilt regarding his actions.
`45.
`disclosed that the hackers had gained acc

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket