Saturday, September 24, 2022 | Back issues
Courthouse News Service Courthouse News Service

Uber CEO Dara Khosrowshahi says he no longer trusted security chief after 2016 data breach probe

Taking the stand Friday at the criminal trial of ex-security chief Joe Sullivan, Uber CEO Dara Khosrowshahi said Sullivan omitted critical information about the breadth of a 2016 data breach. "I couldn't trust his judgment anymore," he testified.

SAN FRANCISCO (CN) — Uber CEO Dara Khosrowshahi testified in federal court Friday that he fired former chief security officer Joe Sullivan because he could not longer trust him after he learned Sullivan hadn’t told him that personal identifying information of 57 million riders and drivers had been downloaded by hackers.

“I decided to fire Joe because he was my chief security officer and I couldn't trust his judgment anymore as my employee,” Khosrowshahi said on the stand. He said Sullivan had omitted certain facts from an email summary he’d sent Khosrowshahi about the incident, including how many riders and drivers it affected, the type of information that was taken, and that data had been downloaded by the hackers.

Khosrowshahi also testified Sullivan did not tell him that Uber paid the hackers $100,000, and Sullivan’s summary led him to assume that only one person had breached the server and that person had been paid only after Uber discerned their identity.

The CEO said he learned the magnitude of the breach only after he launched an independent investigation of the matter.

“The numbers were big, and the fact that a download took place is a significant issue that I became aware of,” Khosrowshahi said. “The payment, which I believe was $100,000, that's just a really big payment that doesn’t fit into a typical bug bounty program. Those were the significant factors that weren't in this original email.”

The fact that data was downloaded, he added, “had significance importance as to whether or not this was a disclosable event.”

Khosrowshahi’s testimony comes just hours after the company suffered a widespread breach of its computer network. Late Wednesday, The New York Times reported that a young hacker claimed to have exploited weak security to access to Uber’s email and cloud storage accounts, among others.

Sullivan, a former federal prosecutor and head of security at Facebook, is currently on trial on charges of concealing the attack from authorities and obstructing a Federal Trade Commission investigation of Uber’s security practices stemming from following a similar breach in 2014.

Sullivan and his security team treated the hack as a routine bug bounty paid to white hat researchers who find and report security flaws, a common practice at large companies, including Expedia, where Khosrowshahi was CEO before joining Uber in September 2017.

Khosrowshahi said he recalled asking Sullivan for more information about the 2016 incident soon after he took the job following. Travis Kalanick had resigned under a cloud of scandal, and a special matters committee was "investigating some allegations that had been made regarding the company.”

“I learned as part of a different investigation that there was an incident and I decided to look into it,” Khosrowshahi said, adding that he contacted Sullivan and asked for more details.

Sullivan sent Khosrowshahi and General Counsel Salle Yoo an email on Sept. 20 summarizing the event in three paragraphs: “Between Oct. 13 and Oct. 15, an unauthorized party gained access to Uber employee GitHub accounts, scanned them for AWS credentials, and then used those credentials to access AWS buckets that contained backup ‘cold storage spies of some rider and driver data.” Sullivan wrote that the outsider had contacted Uber anonymously a month later and requested payment. “The report did not come through our standard vulnerability reporting channels and the person wanted to stay anonymous, we were uncomfortable proceeding and initiated a detailed investigation, along with treating it as worthy of a full data breach response at the time.”

He continued, "We stalled negotiation with the third party until attribution could be established- to ensure the credibility of any claimed resolution.”

Khosrowshahi testified that he took this sentence to mean that the “unauthorized party” had been paid after Uber learned his real name.

“We only paid a bounty through the company's Hacker One bounty program when we were confident the matter was resolved with no harm to users," Sullivan wrote. “We have paid out well over a million dollars in the last year and a half through that program to researchers who have found vulnerabilities in our service.”

Sullivan wrote that passwords had been “rotated” (changed), two-factor authentication was enabled on Github, “and other steps were taken tonsure the risk of a repeat would be minimized."

Khosrowshahi said he believed at the time that Sullivan’s account was complete, and forwarded it to lawyers from the special matters committee. He grew concerned after some discrepancies emerged.

“After the facts in this email did not match the accounting from the special matters committee that led to my initial inquiry — there were some differences — I had to understand which was the correct version of the truth,” Khosrowshahi said. He said he authorized Uber to hire an outside firm “to understand what happened.”

He said the firm's findings led him to believe he needed to disclose the incident, which it did via a public blog post on Nov. 21, 2017.

He also decided to fire Sullivan.

"I found that his email to me was either incomplete or misleading; I don't know which was his intention,” Khosrowshahi testified when asked why his trust in Sullivan had eroded. “And I thought that the decision not to disclose at the time was the wrong decision, and that led me to conclude that I needed to bring in a different head of security. I need to trust my direct reports; I can't launch an investigation every time someone tells me something.”

Assistant U.S. Attorney Benjamin Kingsley asked Khosrowshahi on direct why he had waited nearly two months into his tenure to make the disclosure.

“I wouldn't characterize it as waiting,” Khosrowshahi said. “The actual facts as to whether or not data had been downloaded was not a simple determination. We had to bring in a separate forensic accounting firm to make that investigation. Once we had the full fact base we raced to disclosure we moved as quickly as we thought was responsible.”

Sullivan's defense attorney John Cline scrutinized Khosrowshahi’s prior statements on cross, noting that he previously said in an interview with a German paper that he would "have done the same thing" as Sullivan.

“You thought paying the hackers money to keep the data safe was the right thing to do?” Cline asked, to which Khosrowshahi answered “Yes.”

"You thought the work that the team did technically did a great job?" Cline asked.

“I thought that the team was competent in their response,” Khosrowshahi replied.

Kingsley, on redirect, asked if Khosrowshahi fired Sullivan “because of the technical competence of his team.”

“No,” he answered. “I fired Mr. Sullivan because I didn't feel like I could trust him anymore.”

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.

Loading
Loading...