In October 2016, two hackers discovered hardcoded AWS access credentials in
a private GitHub repository used by Uber engineers. They used these credentials
to access an Amazon S3 bucket containing the personal data of 57 million Uber
users and 600,000 drivers. Rather than disclose the breach, Uber’s Chief
Security Officer Joseph Sullivan paid the hackers $100,000 in bitcoin,
disguised as a bug bounty payment, and had them sign non-disclosure agreements.
The breach was concealed from the FTC-which was actively investigating
Uber for a prior breach-for more than a year. Sullivan was convicted in
October 2022 of obstruction of justice and misprision of felony, becoming the
first corporate security executive in U.S. history to face criminal conviction
for a breach cover-up.
## Key Facts
- .**What:** Hackers found AWS keys in GitHub; Uber's CSO paid $100K hush money via bug bounty.
- .**Who:** 57 million Uber users and 600,000 drivers.
- .**Data Exposed:** Names, emails, phone numbers, and driver's license numbers.
- .**Outcome:** CSO convicted of federal obstruction; $148M state settlement.
## What Was Exposed
- .Names, email addresses, and phone numbers for approximately 57 million
Uber riders and drivers worldwide
- .Driver’s license numbers for approximately 600,000 U.S.-based Uber drivers
- .Internal Uber database records including trip metadata and account details
- .AWS access credentials and internal code repositories that enabled the
initial compromise
The exposure of 600,000 driver’s license numbers was particularly significant
because driver’s licenses serve as primary government-issued identification
in the United States. Unlike credit card numbers, which can be quickly cancelled
and reissued, driver’s license numbers are difficult to change and are widely
used for identity verification.
For the 57 million riders, the combination of names, email addresses, and
phone numbers created a comprehensive contact dataset useful for phishing,
social engineering, and credential stuffing attacks.
## The Cover-Up: Anatomy of Obstruction
What elevates the Uber breach from a serious but conventional security
incident to a landmark case in corporate cybersecurity law is not the breach
itself but the deliberate, sustained cover-up that followed.
In November 2016, Uber was in the middle of active settlement negotiations
with the Federal Trade Commission over a separate 2014 data breach. The FTC
had issued detailed interrogatories and document requests to Uber, and
Sullivan himself had provided sworn testimony to the FTC about Uber’s data
security practices just days before learning of the new breach.
The FTC’s investigation specifically concerned Uber’s ability to protect
user data-making the concealment of a new, far larger breach directly
relevant to the ongoing proceeding.
Upon learning of the 2016 breach in November, Sullivan and his team devised
a strategy to conceal the incident. Rather than reporting the breach to the
FTC, law enforcement, or affected individuals, Sullivan directed the payment
of $100,000 in bitcoin to the two hackers. The payment was routed through
Uber’s HackerOne bug bounty program to create the appearance of a
legitimate vulnerability disclosure reward.
The hackers were required to sign non-disclosure agreements that falsely
stated they had not obtained or stored any Uber data. Sullivan also directed
his team to track down the identities of the hackers-which they eventually
did, identifying Brandon Glover and Vasile Mereacre. Rather than reporting
them to law enforcement, this information was used as additional leverage
to ensure their silence. The hackers were required to re-sign the NDAs
under their real names.
The cover-up persisted for over a year. During this time, Sullivan continued
to engage with the FTC regarding the 2014 breach investigation without
disclosing the 2016 incident. In August 2017, Uber’s board approved a
consent decree with the FTC that included commitments about Uber’s data
security practices-a decree negotiated while the undisclosed 2016 breach
remained active.
The concealment unraveled in November 2017, when Uber’s new CEO Dara
Khosrowshahi, who had replaced Travis Kalanick in August 2017, was informed
of the breach during an internal investigation. Khosrowshahi disclosed the
breach publicly on November 21, 2017, and fired Sullivan and a deputy.
## Regulatory Analysis
**FTC Act Section 5:** The FTC’s enforcement centered on Uber’s
deceptive practices regarding data security. The concealment of the 2016
breach while actively negotiating with the FTC over the 2014 breach
constituted a material misrepresentation. By failing to disclose the new
breach, Uber effectively deceived the FTC about the state of its data
security program during the very period the agency was evaluating those
practices.
The FTC expanded the existing consent order to include the 2016 breach,
imposing 20 years of mandatory security audits, biennial third-party
assessments, and requirements to notify the FTC of any future breaches
within specified timeframes.
**State Breach Notification Laws:** The 2016 breach triggered
notification obligations under the data breach notification statutes of
all 50 states. By concealing the breach for over a year, Uber violated
these obligations in every state where affected consumers resided.
The 50-state attorney general coalition extracted a $148 million
settlement-the largest data breach settlement by state attorneys general
at the time. The settlement required Uber to implement a comprehensive
data security program, maintain a corporate integrity program, and
submit to regular third-party assessments.
**18 USC 1505 (Obstruction of Federal Proceedings):** Sullivan was
charged under the federal obstruction statute for concealing the breach
from the FTC during an active investigation. The prosecution argued that
Sullivan’s failure to disclose the 2016 breach to the FTC, while actively
participating in the agency’s investigation of the 2014 breach,
constituted obstruction of a pending federal proceeding. The jury agreed,
finding Sullivan guilty in October 2022.
**18 USC 4 (Misprision of Felony):** Sullivan was also convicted of
misprision of felony-the crime of knowing about a felony and actively
concealing it from authorities. The hackers’ unauthorized access to
Uber’s systems and theft of personal data constituted federal computer
fraud felonies. Sullivan’s knowledge of these crimes and affirmative
steps to conceal them through the disguised bug bounty payment and NDAs
met all elements of misprision.
**Sentencing and Precedent:** In May 2023, Sullivan was sentenced
to three years of probation and a $50,000 fine. While the sentence was
lighter than prosecutors sought, the conviction itself established a
momentous precedent: corporate security executives who conceal data
breaches from regulators and law enforcement face personal criminal
liability.
The Sullivan case redefined the risk calculus for every CISO in America,
making clear that covering up a breach is not merely a corporate governance
failure but a federal crime.
## What Should Have Been Done
**Credential Security in Code Repositories:** The root cause was
hardcoded AWS access credentials in a GitHub repository. This is a
well-known anti-pattern that remains alarmingly common. Organizations
must implement automated secret scanning on all code repositories, use
secrets management systems (such as AWS Secrets Manager or HashiCorp
Vault) for all production credentials, and enforce pre-commit hooks
that block commits containing credential patterns.
**Immediate Transparent Disclosure:** The single most critical lesson
from the Uber case is that concealment always makes a breach worse. Had
Uber disclosed the 2016 breach promptly, the company would have faced
regulatory penalties and reputational damage, but the penalties would
have been a fraction of the $148 million state settlement, and Sullivan
would not have faced criminal prosecution.
The cover-up transformed a serious but manageable security incident into
a historic enforcement action and criminal case.
**Bug Bounty Program Integrity:** Using a bug bounty program to
disguise hush money payments corrupts a legitimate security mechanism.
Bug bounty programs must have clear policies distinguishing between
legitimate vulnerability reports and criminal extortion. Payments to
individuals who have already accessed and stolen production data are
not bug bounties-they are ransom payments-and must be treated
accordingly with appropriate legal and law enforcement engagement.
**Regulatory Engagement During Active Investigations:** When an
organization is under active investigation by a federal agency, the
obligation to disclose material developments is heightened. Sullivan’s
conviction demonstrates that failing to disclose a new breach during
an active FTC investigation constitutes obstruction.
**AWS S3 Bucket Security:** The data was stored in an S3 bucket with
insufficient access controls. Organizations must implement S3 bucket
policies that enforce encryption, restrict access to authorized IAM roles,
enable server access logging, and use AWS Config rules to detect and
remediate public or overly permissive bucket configurations. AWS provides
native tools-including S3 Block Public Access and Access Analyzer-that
should be deployed across all accounts.
The Uber breach cover-up is the defining case for personal accountability
in cybersecurity. It established that concealing a data breach from regulators
is not a strategic option but a federal crime. Joseph Sullivan’s conviction
put every CISO on notice: the decision to hide a breach can end your career
and your freedom. For organizations, the lesson is absolute-no breach
is as damaging as the cover-up that follows it.