Lawyers for Uber’s Ex-Security Chief Say Company Scapegoated Him


Federal prosecutors say Joe Sullivan obstructed justice when in 2016, as the chief of security for Uber, he failed to disclose a breach of driver and customer records to government regulators.

But Mr. Sullivan’s lawyers say that he in no way concealed the incident and that claims that he broke the law stem from Uber’s efforts to recast its image following the turbulent reign of the company’s former chief executive Travis Kalanick.

Opening arguments began on Wednesday in a San Francisco federal court in what is expected to be a monthlong trial for Mr. Sullivan, who, in addition to obstruction of justice, is accused of concealing a felony. Many security experts believe that Mr. Sullivan, a former federal prosecutor, is the first executive at a company to face potential criminal liability for a data breach.

Corporate security officials say the trial’s outcome could inform how they handle security incidents, including how they interact with hackers and when they reveal information to consumers and regulators.

“There is the threat of jail time. You can’t put a company in jail. You can put an executive in jail. Now, that is on the table,” said Chinmayi Sharma, a scholar in residence and lecturer at the Robert Strauss Center for International Security and Law at the University of Texas at Austin.

In 2016, Mr. Sullivan learned that hackers had gained access to the personal data of about 600,000 Uber drivers and additional personal information associated with 57 million riders and drivers, according to the criminal complaint against him.

Mr. Sullivan referred the hackers to Uber’s bug bounty program, a common way of paying “white hat” security researchers to identify and report security vulnerabilities in popular online services, prosecutors said on Wednesday.

Through the program, Uber paid the hackers $100,000 and had them sign nondisclosure agreements, federal prosecutors said. The company did not disclose the incident to the public or inform the Federal Trade Commission of it.

The two young men responsible for the incident later pleaded guilty to hacking. One of them is expected to testify in the trial.

The government accuses Mr. Sullivan of failing to disclose the breach to the F.T.C. while the agency investigated Uber over an earlier incident.

In all 50 states, companies are required to disclose security breaches if hackers download personally identifiable data and a certain number of users are affected. There is no federal law requiring companies or executives to reveal breaches to regulators.

One of Mr. Sullivan’s attorneys said the responsibility for reporting the incident had rested with Uber’s legal team. Mr. Sullivan, he argued, properly disclosed the incident to the legal team and others at the company.

“You won’t hear a single witness take that stand and say that Joe Sullivan told them to lie to the F.T.C. or destroy documents or hide what had happened from Uber’s senior management or the Uber legal team,” said David Angeli, one of Mr. Sullivan’s attorneys.

The data breach did not become public until 2017, when Dara Khosrowshahi became Uber’s new chief executive and fired Mr. Sullivan. Uber declined to comment for this story.

Mr. Angeli said that the notion that Mr. Sullivan had concealed the breach was a “narrative” created by Uber’s new executive team and that Mr. Khosrowshahi had accused Mr. Sullivan of failing to disclose the incident because Mr. Khosrowshahi had wanted to distance the company from its past.

“His mantra was Uber 2.0,” Mr. Angeli said of Mr. Khosrowshahi. “He wanted to turn the page of what Uber was doing.”

Andrew Dawson, an assistant U.S. attorney, said Mr. Sullivan had tried to conceal the incident both before and after Mr. Khosrowshahi had joined the company. “This is a case about a cover-up, about payoffs and about lies,” he said. “The evidence will show that Mr. Sullivan paid for the hackers’ silence” because Uber was being investigated by the F.T.C.

Mr. Dawson said Mr. Sullivan had lied to Mr. Khosrowshahi in an email describing the incident to the new Uber chief executive, implying that the hackers had not downloaded any data from the company.

Mr. Angeli argued that Mr. Sullivan had very few communications with the F.TC. during the agency’s investigation of Uber and that the company’s lawyers had been responsible for its response to the investigation.

“The Uber legal team had all the information it needed” in order to decide whether the company should report the 2016 security incident to the agency, he said.

He said that 30 people at the company had known about the breach and that Mr. Khosrowshahi had been aware of it for almost three months before the company had reported it. By putting the blame on Mr. Sullivan, he argued, Uber’s new management team was able to wash their hands of the incident.



Source: https://www.nytimes.com/2022/09/07/technology/uber-security-chief-trial.html