SAN FRANCISCO (CN) — When Uber’s former security head Joe Sullivan first raised the idea of treating a serious 2016 data breach as a “bug bounty,” software engineer Daniel Borges thought it was a neat idea.
"It struck me as novel idea and very neat,” said Borges, who was part of Uber’s security response team tasked with triaging a serious intrusion caused by two hackers who downloaded a trove of personal data from 57 million riders and drivers after breaching one of the company's Amazon-hosted web servers. “It thought it was a creative way to solve the problem.”
The former Uber engineer testified Friday in Sullivan’s trial, where he stands accused of concealing the breach from authorities and obstructing an investigation by the Federal Trade Commission into Uber’s security practices.
The investigation was prompted by a similar security incident from 2014, and prosecutors say Sullivan covered up the 2016 breach to avoid further FTC scrutiny by paying for the hackers’ silence with $100,000 and disguising the hack as another white hat bounty.
Many tech companies offer deals for researchers to find and report security flaws in exchange for a potential payout. Uber’s own bug bounty program, created in partnership with HackerOne, debuted publicly in March 2016.
Borges testified that he soon began to have second thoughts about convincing the hackers to join the program. “As I thought about it more and I started to look at the data, I started to have a nagging feeling like is this a breach? Should we say something?” he said.
John “Four” Flynn, an information security officer who reported to Sullivan, also testified that he recalled being in the room when a bounty was discussed, though as one of the leaders of the response team his central focus at the time was in “locking the system down.”
"My view evolved, but in the beginning we wanted to get them to operate within the program because that was the system we had set up for these sorts of things,” Flynn said. “That's what it was built for, for people to find security issues and report them to us.”
But the hackers’ methods were dubious and their demands struck him as extortionate. He noted that the first hacker reached out to Sullivan’s personal email instead of through the HackerOne portal, which would have required an account set up with a Social Security number.
In subsequent emails with members of Uber's security response team, the hackers demanded “six figures” and threatened to expose the personal data they’d stolen if they weren’t handsomely paid.
“They made extortionate demands and made threatening notices to us so it was clear they didn't want operate in the way the program was set up,” Flynn said. “The amount of money they were demanding was much higher than we would normally pay out for security flaws in the program. The point of the program is to find technical flaws, not exploit them and take advantage of them.”
Borges echoed Flynn’s account, saying the incident “seemed unusual” in the context of a bug bounty, since Uber usually controls the size of the payout. “The hacker went to Joe and said, ‘Hey I have your data and I want this amount of money. It was 10 times higher than our maximum payout.”
Borges noted his concerns about disclosure obligations in the company’s “Preacher Central Tracker,” a real-time, digital record of Uber’s response to the attack. “Not at this time," was the response he received.
Sullivan’s trial is believed to be the first criminal prosecution of a tech executive over a data breach, and the Wall Street Journal reported that its outcome is being closely watched by other tech company security chiefs who believe Sullivan's handling of the attack was appropriate.
Sullivan, a highly regarded fixture in the information security industry, previously worked as Facebook’s chief security officer following stints as senior director of trust and safety at eBay and associate general counsel at PayPal. Before that, he was a federal prosecutor who handled cybercrime cases.
Sullivan's lawyers say Uber’s legal department and its outside counsel were responsible for any failure to report the breach to the FTC.
In cross-examining Borges, Sullivan's attorney John Cline asked if “reasonable minds could differ on this disclosure issue,” to which Borges replied, “Once you have a certain amount of these records, it should be an obvious thing.”
“This issue is why you had lawyers involved?” Cline asked. When Borges answered yes, Cline pressed, “And the lawyers provided the advice about disclosure?”
“Yes,” Borges said.
“And you're not a lawyer?” Cline asked.
“No,” Borges answered.
Cline also tried to show that Sullivan could have used the bug bounty program as a way of ascertaining the hackers’ true identities. He also elicited testimony from Borges and Flynn that Sullivan had made a “good faith effort” to deal with the breach.
Vasile Mereacre, 23, of Toronto, and Brandon Glover, 26, of Florida, pleaded guilty to the hack in October 2019. Sullivan was fired from Uber in 2017 and charged in 2020. Until recently, he was chief security officer for Cloudflare.
The FTC settled with Uber over the 2014 incident in 2017, but that settlement was later revised to subject Uber to civil penalties if it ever again deceives the FTC about future breaches.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.