Wednesday, October 5, 2022 | Back issues
Courthouse News Service Courthouse News Service

Uber’s ex-security chief on data breach disclosure to FTC: ‘It’s legal’s job to decide’

Uber's former security chief told investigators he was more concerned with protecting stolen user data than reporting a serious 2016 security breach to the Federal Trade Commission.

SAN FRANCISCO (CN) — A jury finally got some insight Tuesday into ex-Uber security chief Joe Sullivan’s state of mind as he grappled with a serious data breach in 2016.

Randall Lee, a former partner at law firm Wilmer Cutler Pickering Hale and Dorr, testified that Sullivan spoke at length in a late September 2017 interview about his approach to handling the breach.

Lee and his colleagues were brought in by a special matters committee of Uber’s board of directors to scrutinize how Sullivan and his security team dealt with two hackers who infiltrated one of the company's Amazon-hosted web servers and made off with the personal information of 57 million app users.

Lee said Sullivan made it known that he didn't think it was his duty to report the incident to the Federal Trade Commission, a regulatory agency that was investigating Uber’s security practices following a similar data breach in 2014.

Instead, his main concern was finding out who the hackers were and making sure that the data they swiped didn’t end up “out in the wild,” according to notes from Lee’s interviews with Sullivan that were displayed for the jury in court.

“My focus was we had to get to bottom of this and contain it very fast,” Sullivan reportedly told Lee.

Sullivan, who stands accused of concealing the breach from authorities and obstructing the FTC’s investigation, also made it clear he believed that any duty to disclose rested with Uber’s in-house legal team.

“If we couldn't contain, it's legal's job to decide,” said the notes from Sullivan’s interview. “My assumption was they would conclude yes. Depends on where the users are,” he added, referring to users in the European Union, which has more stringent privacy regulations.

Lee said Sullivan indicated he was satisfied that the data had not been dumped. An Uber representative met separately with Vasile Mereacre and Brandon Glover in January 2017, and they both signed nondisclosure agreements with their real names.

"That's the gist of what I understood him to be saying,” Lee said on the stand.

Lee also testified that Sullivan, who previously worked as head of security and as a privacy lawyer at Facebook, said he tried to stay out of legal matters at Uber despite holding the additional title of deputy general counsel.

“I've tried hard at Uber not to wear a legal hat,” Sullivan told Lee. "We talked before I started at Uber that this would be different dynamic. I would not be making legal decisions.”

Prosecutors have raised Sullivan’s past career as a former U.S. attorney in the government’s computer hacking and IP unit, as well as his stints as in-house counsel at Facebook and PayPal, to suggest that Sullivan should have known better regarding the breach disclosure.

Sullivan’s interview with Lee indicates Sullivan saw it differently. “I do not make disclosure decisions. My team always trained to bring in legal,” he told Lee. He later reiterated, “My focus was on operational side, I always try to stay out of legal decisions. We have a good cross relationship with legal.”

Sullivan named in-house attorney Craig Clark as the liaison between Uber's security and response teams. Clark, who previously worked with Sullivan at Facebook, reported to both Sullivan and to a supervisor on the legal team, an arrangement Sullivan disliked.

“I didn't ask for the [deputy general counsel] title,” Sullivan told Lee. “For a period of time Craig reported to me and I didn't ask for that. I didn't have the bandwidth to manage a lawyer. Craig is a great guy but needs mentoring.”

Lee said he understood Sullivan didn’t want the deputy general counsel title and didn't want to manage Clark, "but I don't think he answered the question that was posed about squaring the title with not having a role in the disclosure.”

Sullivan also told Lee he frequently communicated with then-CEO Travis Kalanick, calling him immediately to inform him of the 2016 breach even though Kalanick was in Europe and about to give a speech. By then, Sullivan said it was clear that the breach was serious "because of what the vulnerability was." He also called it "too similar to the 2014 data breach."

"From day one, we had discussions on a regular basis,” Sullivan had said. Notes from Lee's interview with Sullivan show he told the CEO, "the one thing you expected us to handle, we were not doing a good enough job at."

Sullivan also told Lee that Kalanick favored negotiating with the hackers. Rob Fletcher, a security engineer, took on the task of trying to stall for time by emailing back and forth with Mereacre, who was operating under the pseudonym John Doughs.

According to notes from the interview, Sullivan said Kalanick “likes negotiations so where we were going through the back and forth, the emails Rob was sending to the guy and trying to figure out who he was, trying to play out and slow roll things — TK was really into that back and forth and negotiating and even dollar numbers and stuff like that.”

Uber ultimately paid the hackers a $100,000 ransom in bitcoin through its “bug bounty” program with HackerOne.

Sullivan was fired not too long after the interview with Wilmer Hale, but bounced back quickly, becoming chief security officer of Cloudflare in July 2018. In 2020, he was charged with obstruction and concealment of a felony.

Prosecutors told U.S. District Judge William Orrick at a status conference Tuesday afternoon that they plan to wrap their case in chief on Wednesday.

An earlier version of this story said Sullivan had been arrested, which was based on information from a Justice Department press release. The arrest warrant was withdrawn, however, and Sullivan was never in custody.

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.

Loading
Loading...