SAN FRANCISCO (CN) — 2017 was a tumultuous year for Uber, with the loss of $4.5 billion in revenue and embattled co-founder Travis Kalanick resigning his position as CEO following a sexual harassment scandal. The last thing the ride-hailing giant needed was more negative press.
Now, lawyers for Uber’s former security chief Joe Sullivan say the company used him as a fall guy for a massive data breach that exposed the personal information of 57 million users to protect the legacy of incoming CEO Dara Khosrowshahi, who promised to rehabilitate Uber’s image.
Sullivan’s trial on charges that he covered-up the 2016 breach opened Wednesday with lead defense counsel David Angeli telling a federal jury that Khosrowshahi and other Uber higher-ups in its legal department hid their knowledge of the breach for months before disclosing it to the public in November 2017.
“By the time this incident was disclosed Mr. Khosrowshahi had been the CEO for three months. This matter had become this problem. And he knew when this matter got disclosed it would end up defining his tenure at Uber, unless he distanced himself,” Angeli said. "How could he distance himself? By firing the last remaining executive who had been hired by the last CEO, and claiming he had been hiding the incident all along.”
After Sullivan was booted from his job, prosecutors charged him in 2020 with obstruction and failing to report a felony to authorities, known in Justice Department parlance as misprison. Three counts of wire fraud charges were later added, but dropped just ahead of the trial.
In his opening statement to the jury, Assistant U.S. Attorney Andrew Dawson said Sullivan orchestrated the cover-up and hid it from both his employers and the Federal Trade Commission, which was investigating Uber’s data security practices in the wake of a different data breach in 2014.
Dawson said Sullivan bought the two hackers off with a payment of $100,000, funneled through Uber’s bug-bounty program where white hat hackers are paid to search for and report security flaws.
“Sullivan knew exactly what he had done. He covered up a data breach, he covered up a crime and he obstructed the FTC's effort to safeguard user data,” Dawson told the jury, describing Sullivan’s actions as “comprehensive and calculated.”
“He orchestrated the $100,000 payment in exchange for their silence,” Dawson said. “The hackers promised to stay quiet through a non-disclosure agreement prepared by Sullivan and his team that falsely stated that the hackers did not take any data. By classifying this as a bug bounty, Sullivan made sure the breach did not draw undue attention."
Angeli presented a vastly different portrait of Sullivan as a former federal prosecutor with a background in prosecuting cybercrime, and whose talents carried him through a storied career at various tech giants; beginning at eBay, then on to PayPal and later head of security at Facebook.
“What this case is really about is a security professional who worked around the clock under enormous pressure to protect people's data; who did not hide what happened in 2016. And now the government is second guessing him,” Angeli said.
He blamed Uber’s legal department for failing to keep the FTC informed about the 2016 breach, saying, “it was the legal department’s responsibility to advise whether incidents like this needed to be reported to the FTC.”
“The government’s assertions are that he actively concealed the incident and he obstructed the FTC from learning about it, and the evidence will show that that just did not happen. The evidence will show that nothing was hidden from anyone,” Angeli said. He noted that at least 30 Uber employees other than Sullivan knew about the breach and the security team’s effort to lock it down, displaying a chart to the jury populated with pictures of staff from Uber’s security, legal and communication departments. “Is this what concealment looks like?” he asked. “Uber apparently didn't tell the media that more than 30 people at the company had been aware of this incident while it was going on.”
But Sullivan was the first in the company to become aware of the breach through an email he received on Nov. 14, 2016 from an anonymous sender, identified only as “[email protected]”
“Hello Joe,” it read. “I have found a major vulnerability in uber I was able to dump uber database and many other things.”
As Sullivan and his team investigated the breach, they learned that the hackers had used a stolen password combination to access GitHub, a website where software developers store and share software code. Using software code swiped from GitHub, Johndoughs was able to unlock an Uber-owned Amazon web server and make off with the personal data of 57 million app users, including names, email addresses and phone numbers, along with 600,000 driver’s license numbers.
Vasile Mereacre, 23, of Toronto, and Brandon Glover, 26, of Florida, pleaded guilty to the hack in October 2019.
Angeli said it’s not uncommon for a company like Uber to try to maintain confidentiality during an internal investigation of a data breach.
“It was absolutely standard operating procedure at Uber and in the industry generally to keep a tight lid on what you're doing during the investigation. And that's what the team did. There was no effort to conceal what had happened in the long run,” Angeli said.
Though they initially signed confidentiality agreements with Uber using pseudonyms, Sullivan's team was able to track the pair down in early 2017 and sign fresh agreements with their real names. Angeli said it was a smart move for Sullivan to urge the hackers to sign the original NDA with Adobe Sign, as it contained an "electronic fingerprint" that helped Sullivan find them.
Dawson said that just ten days before receiving that email from Johndoughs, Sullivan had been questioned for hours by the FTC about Uber's supposedly beefed-up data safeguards.
"For hours the defendant testified under oath about all the things he had done in his tenure to make sure that kind of theft didn't happen again, only to learn 10 days later that it didn't work," Dawson said. "Rather than tell the FTC, or federal law enforcement, or the users whose data had been stolen, Sullivan chose to cover it up."
The 2016 breach and subsequent coverup only heightened the FTC’s scrutiny and ire at the ride hail giant, and a settlement Uber signed with the consumer watchdog in 2017 was expanded to subject Uber to civil penalties if it ever again deceives the FTC about future breaches.
Uber also agreed to pay $148 million in penalties in a multistate settlement in 2018.
In July, the U.S. Department of Justice said it would not prosecute Uber for failing to immediately report the data breach to the FTC in exchange for its cooperation in Sullivan’s case.
Sullivan’s trial is expected to run through the end of September.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.