Lawyers for Uber’s ex-security chief say company scapegoated him
By Cade Metz
Federal prosecutors say Joe Sullivan obstructed justice when in 2016, as the chief of security for Uber, he failed to disclose a breach of driver and customer records to government regulators.
But Sullivan’s lawyers say that he in no way concealed the incident and that claims that he broke the law stem from Uber’s efforts to recast its image following the turbulent reign of the company’s former CEO Travis Kalanick.
Opening arguments began Wednesday in a San Francisco federal court in what is expected to be a monthlong trial for Sullivan, who, in addition to obstruction of justice, is accused of concealing a felony. Many security experts believe that Sullivan, a former federal prosecutor, is the first executive at a company to face potential criminal liability for a data breach.
Corporate security officials say the trial’s outcome could inform how they handle security incidents, including how they interact with hackers and when they reveal information to consumers and regulators.
“There is the threat of jail time. You can’t put a company in jail. You can put an executive in jail. Now, that is on the table,” said Chinmayi Sharma, a scholar-in-residence and lecturer at the Robert Strauss Center for International Security and Law at the University of Texas at Austin.
In 2016, Sullivan learned that hackers had gained access to the personal data of about 600,000 Uber drivers and additional personal information associated with 57 million riders and drivers, according to the criminal complaint against him.
Sullivan referred the hackers to Uber’s bug bounty program, a common way of paying “white hat” security researchers to identify and report security vulnerabilities in popular online services, prosecutors said Wednesday.
Through the program, Uber paid the hackers $100,000 and had them sign nondisclosure agreements, federal prosecutors said. The company did not disclose the incident to the public or inform the Federal Trade Commission of it.
The two young men responsible for the incident later pleaded guilty to hacking. One of them is expected to testify in the trial.
The government accuses Sullivan of failing to disclose the breach to the FTC while the agency investigated Uber over an earlier incident.
In all 50 states, companies are required to disclose security breaches if hackers download personally identifiable data and a certain number of users are affected. There is no federal law requiring companies or executives to reveal breaches to regulators.
One of Sullivan’s attorneys said the responsibility for reporting the incident had rested with Uber’s legal team. Sullivan, he argued, properly disclosed the incident to the legal team and others at the company.
“You won’t hear a single witness take that stand and say that Joe Sullivan told them to lie to the FTC or destroy documents or hide what had happened from Uber’s senior management or the Uber legal team,” said David Angeli, one of Sullivan’s attorneys.
The data breach did not become public until 2017, when Dara Khosrowshahi became Uber’s new CEO and fired Sullivan. Uber declined to comment for this story.
Angeli said that the notion that Sullivan had concealed the breach was a “narrative” created by Uber’s new executive team and that Khosrowshahi had accused Sullivan of failing to disclose the incident because Khosrowshahi had wanted to distance the company from its past.
“His mantra was Uber 2.0,” Angeli said of Khosrowshahi. “He wanted to turn the page of what Uber was doing.”
Andrew Dawson, an assistant U.S. attorney, said Sullivan had tried to conceal the incident both before and after Khosrowshahi had joined the company. “This is a case about a cover-up, about payoffs and about lies,” he said. “The evidence will show that Mr. Sullivan paid for the hackers’ silence” because Uber was being investigated by the FTC.
Dawson said Sullivan had lied to Khosrowshahi in an email describing the incident to the new Uber CEO, implying that the hackers had not downloaded any data from the company.
Angeli argued that Sullivan had very few communications with the FTC during the agency’s investigation of Uber and that the company’s lawyers had been responsible for its response to the investigation.
“The Uber legal team had all the information it needed” in order to decide whether the company should report the 2016 security incident to the agency, he said.
He said that 30 people at the company had known about the breach and that Khosrowshahi had been aware of it for almost three months before the company had reported it. By putting the blame on Sullivan, he argued, Uber’s new management team was able to wash their hands of the incident.