Wednesday, December 7, 2022 | Back issues
Courthouse News Service Courthouse News Service

2016 data breach kept hidden from in-house counsel, former Uber lawyer testifies

A former in-house attorney for Uber testified Tuesday that the FTC would have been interested in learning about a 2016 data breach as part of its investigation into Uber's security practices, but Uber's security chief kept mum.

SAN FRANCISCO (CN) — Testifying Tuesday in the criminal obstruction trial of ex-Uber security chief Joe Sullivan, a top privacy attorney for the ride-hail giant said Sullivan kept her in the dark about a serious 2016 hack of company data servers even as Uber was under investigation by the Federal Trade Commission for a very similar hack that happened two years earlier.

Sabrina Ross said she was “upset” and “surprised” to learn about the 2016 data breach just months after her team collaborated on a settlement agreement with the agency over earlier allegations that Uber failed to protect its users’ sensitive personal information.

Ross said she was on maternity leave in late summer 2017 when she became aware of the second breach. “I started getting phone calls from people I knew at law firms because it had hit the press, so they were reaching out to see if we needed representation,” Ross said. “I was upset.”

Ross and other members of Uber’s in-house legal team had been working for months with outside counsel at Perkins Coie on a settlement with the FTC. She said her department collaborated closely with engineers who worked under Sullivan.

By 2017, Ross said Uber’s legal team began discussing plans to encourage the FTC to close its investigation, which had been ongoing for two and a half years. “Joe was supportive of proceeding with the recommendation to settle,” Ross testified.

On April 7, 2017, Ross sent Sullivan and Uber General Counsel Salle Yoo a preliminary draft of a letter she planned to send the agency.

“I recommend sending this letter to the FTC this week urging closing of its 2.5 year privacy/security investigation into Uber," Ross wrote. "In essence, we argue 1) Uber's record of cooperation and engagement with FTC staff over the last 28 months has been exemplary. 2) even before the receipt of compulsory process, Uber came forward to provide information on a voluntary basis and has proved exhaustive information to staff. 3) the data security incidents at issue reflect no misdirected priorities, no failure to appreciate risks, and no lack of data security knowledge or care.”

Ross adds, “As detailed in the letter, the FTC has had ample time to investigate, issues and should no longer be holding, open an indefinite fishing expedition. While the letter may prompt further activity on the matter, we believe insight into their theory of a case (if any) is preferable to ongoing uncertainty.”

A few minutes later, Sullivan responded “Letter looks ok to me. Thanks.”

Ross testified that at no point did Sullivan ever tell her that another data breach had occurred months earlier, where two hackers made off with the personal data of 57 million app users, including names, email addresses and phone numbers, along with 600,000 driver’s license numbers.

Uber fired Sullivan in 2017, and in 2020 the feds charged him with one count of obstruction and one count of hiding a felony from authorities. His trial marks what's said to be the first criminal prosecution of a tech company executive for an alleged data breach.

Assistant U.S. Attorney Andrew Dawson asked Ross repeatedly about her knowledge of the second hack around the time Uber was responding to the FTC’s questions about its security practices, talks she said Sullivan would have been aware of as head of Uber's security division.

“In the course of meetings and emails with Mr. Sullivan, did he mention there was another incident that may be relevant to FTC's investigation?” Dawson asked.

Ross answered, “No.”

Dawson asked Ross if Sullivan had ever informed her that as of 2016, it still stored unencrypted user information on servers hosted by Amazon Web Service (AWS) — one of the primary security flaws that prompted the FTC probe.

“He had not,” she said.

Sullivan’s defense argued it was not Sullivan's responsibility to report the second breach to regulators and that “lawyers took the helm in submitting responses to the FTC.”

Defense attorney David Angeli elicited testimony from Ross on cross-examination that her interactions with Sullivan overall were fairly limited, and that she would mostly seek out members of his security group to provide technical information as needed.

Sullivan's lawyers also pointed to Craig Clark, Uber's in-house legal director for security who was ousted alongside Sullivan in 2017 as the person responsible for reporting data breaches to the FTC.

Angeli noted Clark was well aware of the 2016 hack since he helped Uber's security response team draft the nondisclosure agreements the two hackers eventually signed in exchange for a $100,000 ransom.

Clark also received a draft of the legal team’s letter to the FTC. On April 10, 2017, he had this comment to share: “Does it feel a little too verbose and maybe martyr-ish?”

The FTC settlement required Uber to improve its security practices and allow independent auditors to track its progress for 20 years. Because of the 2016 breach, the settlement was revised to subject Uber to civil penalties if it ever again deceives the FTC about future breaches.

Ross is now director of privacy and public policy at Facebook parent Meta, where Sullivan previously worked as chief of security.

Dawson showed the jury one written comment Sullivan made regarding Facebook's past run-in with the FTC that said: “The process at FB [Facebook] was hugely burdensome for innovation.”

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.