SAN FRANCISCO (CN) — A onetime attorney for Uber who was fired for his role in a suspected coverup of a major 2016 data breach took the stand in the criminal criminal obstruction trial of his former boss on Wednesday, testifying that ex-security chief Joe Sullivan was responsible for changes to a nondisclosure agreement with two hackers that made the attack seem like a white hat vulnerability report.
Craig Clark was given immunity in exchange for testifying against Sullivan, who stands accused of concealing the breach from authorities and obstructing an investigation by the Federal Trade Commission into Uber’s security practices.
The 2016 hack that exposed the personal information of 57 million Uber users could not have come at a worse time for the company as it was already in the throes of an FTC probe stemming from a similar breach in 2014.
Under questioning by Assistant U.S. Attorney Andrew Dawson, Clark said he recalled Sullivan asking how the incident could be funneled through Uber’s bug bounty program where “researchers” are paid to find and report security flaws.
“I remember Joe asking or saying how can we fit this into bug bounty,” Clark said on the stand.
Did you take that as a directive to fit this into bug bounty?” Dawson asked, to which Clark answered “Yes.”
Clark testified that if the hack was classified as a bug bounty, the company would not be obligated to report it as a data breach.
“Was it your understanding if Mr. Sullivan was asking for legal advice or giving a directive?” Dawson asked.
“I took it as both,” Clark said. “It was — we need to fit this into bug bounty, how are we going to do it.”
Clark said this conversation happened after he found out that 600,000 driver’s license numbers had been exposed. When asked about his reaction to this knowledge, Clark said, “it was a big sigh and maybe an expletive that we were in reporting land. Once we knew we had drive;rs license numbers pretty much everybody knew the implications of that.”
But Clark said he got right to work figuring out a way to turn the breach into a bounty. After a couple of hours, he’d come up with a theory — Uber would treat the two hackers as employees or agents of the company. Of course, it would have to be post-dated. Also, “We had to get the data back, know who they were, make sure the information had not been disseminated,” Clark said. “We needed to have a relationship such as they could be referred to as agents.”
It was admittedly an aggressive plan, but Clark considered himself an aggressive lawyer. He came to the field at a later stage in life, having worked previously as a welder and a lineman for PG&E. But he graduated at the top of his class at UC Hastings Law School before joining the firm White & Case, where he advised tech companies on privacy issues. Then came a stint at Facebook, where he met Sullivan. “He was the golden boy of security. He was well known, very engaged and well respected in the community,” Clark said of his former mentor.
Clark said he so admired and respected Sullivan that when he departed Facebook and joined Uber, Clark wanted to go with him.
"I emailed Joe soon after he left and said, "Hey, I want to come too,” Clark said.
Several other Facebook employees jumped ship and joined them, including information security officer John “Four” Flynn, product security engineer Collin Greene and Mat Henley, who became Uber’s head of “threat ops.”