Ex-Uber security chief faces trial for breach cover-up

The breach revealed data on 57 million riders and drivers

Image:
The breach revealed data on 57 million riders and drivers

But Sullivan's lawyers say the company made him a scapegoat

A federal trial has started in the USA against Joe Sullivan, Uber's former security chief, who is accused of failing to report a massive data breach while working for the company.

The breach was first made public in November 2017 when Uber's CEO, Dara Khosrowshahi, said hackers had obtained access to the private data of up to 57 million Uber users and drivers, as well as 600,000 US Uber drivers' driver's licence numbers.

In July this year, as part of a deal with the US Department of Justice to avoid prosecution, Uber admitted concealing the cybersecurity incident.

Arguments on whether Sullivan covered up the breach are now being heard in the US federal court in San Francisco.

The prosecutor's office filed charges against Sullivan in 2020, for obstruction and failing to disclose a crime to the authorities.

Three counts of wire fraud changes were added later, but these were dismissed before the trial.

Sullivan is believed to be the first executive of a company who may be held criminally liable for a data breach, although he has pled not guilty.

Uber fired Sullivan in 2017, after which he found work as the head of security at the internet infrastructure firm Cloudflare, but left his position at the company to prepare for his trial.

Federal prosecutors have claimed Sullivan instructed his staff to keep information on the breach "tightly controlled," and to frame the event as part of a bug bounty programme.

Bug bounty programmes encourage security researchers and hackers to find and disclose flaws in return for financial incentives. However, the prosecutors claim that Uber's programme was not permitted to reward 'a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems'.

Federal prosecutors also claim that the $100,000 bounty paid to the hacker(s) was the highest payoff Uber had ever offered up to that date.

They allege that Sullivan had the hackers sign an additional NDA that falsely indicated they had neither taken nor stored any data during their attack.

As per the Department of Justice complaint, only Sullivan and former Uber CEO Travis Kalanick were aware of the entire scope of the breach, and played a part in the decision to treat it as an authorised disclosure via the bug bounty programme.

Assistant US Attorney Andrew Dawson said in his opening remarks to the jury that Sullivan planned the cover-up and concealed it from both his employer and the Federal Trade Commission (FTC), which was looking into Uber's data security procedures after another breach in 2014.

"Sullivan knew exactly what he had done. He covered up a data breach, he covered up a crime and he obstructed the FTC's effort to safeguard user data," Dawson told the jury.

Sullivan's attorneys claim that Uber used him as a scapegoat for the serious security lapse in order to save the reputation of new CEO Dara Khosrowshahi, who had pledged to restore Uber's image.

Khosrowshahi and other Uber executives in the company's legal department withheld their knowledge of the breach for months until reporting it to the public in November 2017, lead defence counsel David Angeli told the jury.

"By the time this incident was disclosed Mr. Khosrowshahi had been the CEO for three months. This matter had become his problem. And he knew when this matter got disclosed it would end up defining his tenure at Uber, unless he distanced himself," Angeli said.