SAN FRANCISCO (CN) — The obstruction trial of ex-Uber security chief Joe Sullivan has yielded little clarity on who made the ultimate decision to pay off two hackers behind a 2016 data breach. But testimony and evidence this week revealed that the company paid them $100,000 and had them sign nondisclosure agreements without first learning their identities or confirming that they had deleted the data they stole.
Sullivan’s defense attorney David Angeli grilled former Uber attorney Craig Clark on Thursday on his role in drafting the NDA sent to admitted hacker Vasile Mereacre, who was still going by his pseudonym “John Doughs.”
Clark had testified on Wednesday that Sullivan made a critical edit to a provision in the agreement that he believed rendered it inaccurate, but under questioning from Angeli, Clark acknowledged that he had made the change, though Sullivan had edited other parts of the draft.
Clark also admitted that he had not been completely truthful in his representations to prosecutors that Sullivan had omitted the word “obtained” in the provision that initially said: you promise that you did not take or store any data obtained during or through your search to us. . .”
Clark, who was given immunity for his testimony, allegedly told the government that the deletion of the word “obtained” made the agreement “inaccurate” and that Sullivan had said the language “was going to stay" after Clark raised his concerns.
He said he had apparently misremembered the events, since documents displayed to the jury showed Clark had removed the word, and that “there were inaccuracies” in his statement to prosecutors and federal agents.
But the NDA is only part of the larger scheme. Sullivan stands accused of covering up the breach and failing to disclose it to the Federal Trade Commission during its investigation of Uber’s security practices following a similar breach in 2014.
The NDA factors in because Clark and other engineers on Uber’s security team testified that protecting the stolen data and ensuring that it wouldn’t be dumped on the internet was top priority for the team.
They also said that learning the hackers’ identities was of utmost importance.
But Mereacre admitted on the stand Monday that he had signed two separate agreements using phony names. The first he signed as John Doughs, and when Uber called him on it, he signed a second agreement under the name “William Loafman.”
He and his accomplice Brandon Glover did not sign the agreements with their real names until Uber’s security team tracked them down in early January 2017.
By then they had already been paid. Mereacre also testified that he’d lied about deleting the stolen data.
"I told them I did even though it was false,” Mereacre said. “I still had it on my hard drive.”
Mereacre said no one from Uber ever asked him for proof, though he did delete the data after he decided it was taking up too much space on his hard drive— he and Glover had taken the names, email addresses and phone numbers of 57 million app users, along with 600,000 driver’s license numbers.
Exactly how much Uber’s c-suite knew about the breach remains murky. Clark said Sullivan had told the security response team that he was communicating directly with CEO Travis Kalanick and other members of the “A-Team.”
But the news came as a shock to former General Counsel Salle Yoo, who said on the stand that she was kept in the dark.
Yoo said she learned about the data breach in September 2017, when someone she did not identify asked her what she knew.
She asked Sullivan for more information about it, and on Sept. 20, he sent her and new CEO Dara Khosrowshahi a three-paragraph summary of what had transpired.
“I was surprised, I was shocked, and on my quick review, my personal reaction was that it sounded a lot like the 2014 breach,” Yoo said.
It was particularly shocking because Yoo had only months earlier signed off on a settlement with the FTC over Uber's privacy practices.
Assistant U.S. Attorney Benjamin Kingsley asked Yoo if this was something she would have expected to find out about beforehand, especially since the 2016 breach happened while the agency’s investigation was still ongoing.
“This is the type of event where I would have expected to be brought into the loop while the investigations was going on,” Yoo said.
A few days later, Sullivan sent another email to Yoo that read: "With regard to the substance of the conclusions around whether it would be a data breach, I will take a look and try to send to you . . . anything I can find, if I recall it was no different factually from any others, so not sure whether novel analysis was done by Legal."
Yoo testified: "It did seem very similar factually to the 2014 breach. So I was surprised by his comment about 'novel analysis.'"
She also testified Kalanick never said a word about the breach to her either, though this was not unusual given his tendency to withhold information from his general counsel.
“Did you get the sense that Sullivan understood he should keep you aware of things that would affect the legal team?” Kingsley asked.
“Mr. Sullivan was a very experienced person,” Yoo answered. “I felt he knew how to work with his colleagues — at Uber and elsewhere.”
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.