Wednesday, October 4, 2023
Courthouse News Service
Wednesday, October 4, 2023 | Back issues
Courthouse News Service Courthouse News Service

Ex-security chief vilified by Uber after data breach, former comms head testifies

The defense wrapped with testimony from Melanie Ensign, a former head of security and privacy communications, who said she believed Joseph Sullivan was treated as fall guy for a 2016 data breach.

SAN FRANCISCO (CN) — Uber’s former global head of security and privacy communications defended Joe Sullivan at his criminal obstruction trial on Thursday, saying the ex-security chief had been unfairly cast as a villain in the media and by Uber’s public relations team in the aftermath of a 2016 data breach.

"I thought there was an unfair characterization about whether or not he had intentionally tried to keep this a secret, particularly within the company,” Melanie Ensign testified.

Ensign joined the company in October 2016, just one month before she found out that two hackers had infiltrated one of the company's Amazon-hosted web servers and made off with the personal information of 57 million app users, then contacted Sullivan over email demanding a ransom payment.

Sullivan stands accused of concealing the breach from authorities and obstructing an investigation by the Federal Trade Commission into Uber’s security practices.

The investigation was prompted by a similar security incident from 2014, and prosecutors say Sullivan covered up the 2016 breach to avoid further FTC scrutiny by buying the hacker’s silence with a $100,000 ransom funneled through Uber’s white hat bug bounty program.

Ensign said she was concerned about the way reporters had portrayed Uber’s use of its bug bounty program by framing it as Sullivan’s way of disguising a $100,000 payoff to two hackers.

“I was concerned with the characterizations that the bug bounty program had been used to cover up the incident which was not consistent with what I had experienced,” she testified. "My understanding was there were a couple of reasons for using the bug bounty program. The first was the company did not have formal policy for dealing with extortion attempts or how to make that payment.”

Ensign explained that the bug bounty program was the best way to make the payment quickly in Bitcoin, the firm of payment the hackers were demanding. Also, “using information, we could glean through the transaction to support attribution efforts.”

U.S. District Judge William Orrick sustained the prosecution’s objection to the word scapegoat, but under questioning from Sullivan's attorney John Cline, Ensign said she believed Sullivan was made out to be the villain after CEO Dara Khosrowshahi took the helm from Travis Kalanick in the fall of 2017 and launched his “Uber 2.0” campaign to rehabilitate the company’s image after a series of scandals.

Sullivan was fired on Nov. 21, 2017, the same day Uber issued a blog post publicly disclosing the breach.

"When you can portray a specific individual as a bad apple you can remove that bad apple from the situation and distance the company from the situation they are accused of,” Ensign said.

"So that was what Uber PR was doing?” Cline asked.

“That's what I believed they were doing,” Ensign said.

Ensign said she had no idea that Sullivan was going to be fired until it happened.

“I found out when the announcement was made public,” she testified.

Ensign said she was also kept in the dark about the planned disclosure.

“A colleague in another office heard a disclosure was coming and expected there would be a comms plan for that and anticipated that I would be the one putting it together. I had no idea what they are talking about.”

Bloomberg was first to break the news after being tipped off by Uber through a standard PR industry practice called “pre-briefing.”

“You give a select journalist access to information before it's available to the general public. That gives them time to write their articles before it becomes public,” Ensign explained. “The advantage is it focuses the details and the narrative of that article so it's more predictable and you can anticipate what that story is going to say.”

“Does it help shape the narrative?” Cline asked.

“Yes,” she answered. “The relationship between comms team and journalists is when journalists are given exclusive access to information others don’t have, you have more time to work with them and shape their article.”

Under cross examination by Assistant U.S. Attorney Benjamin Kingsley, Ensign said it was “fair" to say she’d felt cut out of the process, and that she didn't know Sullivan had been questioned by outside investigators Uber had hired.

While Sullivan's lawyers say Uber’s legal department and its outside counsel were responsible for any failure to report the breach to the FTC, weeks of testimony has revealed that its in-house lawyers were largely kept in the dark about the hack, with the exception of Craig Clark, an attorney tasked with liaising between the legal and security teams. Clark was fired alongside Sullivan, and was given immunity by the government in exchange for his testimony earlier in the trial.

A Nov. 15, 2016 email exchange between Ensign and Candace Kelly, Craig’s in-house supervisor, shows Kelly appeared to think Clark had a handle on things.

“I saw your doc on the extortion issue,” Kelly wrote to Ensign. “Do you know who in legal they are working with or is that me?”

“Craig Clark is leading for legal with the security team,” Ensign wrote back. “I wanted you to be in the loop in case public disclosure is needed.”

“Got it, thanks,” Kelly replied.

“In the end it turned out that based on Mr. Clark's advice, disclosure was not necessary for this incident?” Cline asked.

“Correct,” Ensign answered.

"That was where things stood at end of 2016?”

“Yes,” Ensign said.

Thursday marked the last day of testimony in the two-week trial as the defense wrapped its case.

Follow @MariaDinzeo
Categories / Criminal, Technology, Trials

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.