Uber Boss Testifies He ‘Could Not Trust’ Ex-Security Chief
Dara Khosrowshahi, Uber’s chief executive, said in court on Friday that he had fired Joe Sullivan, the former Uber security chief who is on trial over a 2016 security breach, because he could no longer trust him.
“He was my chief security officer, and I could not trust his judgment anymore,” Mr. Khosrowshahi said of Mr. Sullivan. “I thought the decision not to disclose” the breach “was the wrong decision.”
Mr. Khosrowshahi was a star witness at the trial of Mr. Sullivan, who has been accused of obstructing justice for failing to disclose the 2016 breach, which affected the Uber accounts of more than 57 million riders and drivers. Mr. Sullivan’s lawyers have argued that Uber’s management team, led by Mr. Khosrowshahi, unfairly targeted him as the company worked to recast its image after the freewheeling reign of its former chief executive, Travis Kalanick.
He said that he fired Mr. Sullivan in 2017 because Mr. Sullivan misled him in an email about the 2016 incident. Mr. Khosrowshahi added that Uber later reported the incident to regulators because it was in the best interest of the public.
The outcome of the trial could change how professionals handle security incidents, experts have said. Many believe that Mr. Sullivan is the first company executive to face criminal prosecution for a data breach.
The hack was discovered in 2016, while the Federal Trade Commission was investigating a previous data breach at Uber. Mr. Sullivan received an email from a hacker claiming he had found a major security vulnerability in Uber’s online systems and that he was able to download information from the company.
About a day later, Mr. Sullivan learned that the hacker had downloaded a database containing the personal data of about 600,000 Uber drivers and additional personal information associated with 57 million riders and drivers, according to court testimony and documents.
Mr. Sullivan and his team eventually referred the hacker and an accomplice to Uber’s bug bounty program, a common way of paying security researchers to identify and report security vulnerabilities. Through the program, Uber paid the hackers $100,000 and had them sign nondisclosure agreements.
Uber did not publicly disclose the incident or inform the F.T.C. until after Mr. Khosrowshahi took over as chief executive in the fall of 2017. The two hackers eventually pleaded guilty to hacking.
Most states require companies to disclose security breaches if hackers download personally identifiable data and a certain number of users are affected. There is no federal law requiring companies or executives to reveal breaches to regulators.
Federal prosecutors accused Mr. Sullivan of concealing a felony for failing to disclose the breach to the F.T.C. while the company was already under investigation by the agency.
“A lot of people are really scared about what prosecuting Joe Sullivan means for security professionals,” said Whitney Merrill, a longtime security and privacy professional and lawyer who previously spent time at F.T.C. “But I think this is a lesson for any high level official who must communicate with the government: You can’t treat communications with the government like it’s no big deal.”
Mr. Khosrowshahi said that after he took over as Uber’s chief executive, he learned about the data breach and asked Mr. Sullivan to provide additional details over email.
Mr. Sullivan sent an email to Mr. Khosrowshahi a few days later, according to court testimony and documents. Later, after asking outside firms to investigate the matter, Mr. Khosrowshahi learned the email did not acknowledge that the hackers had downloaded personal information about drivers and riders.
He said he also learned that the email had not disclosed that Mr. Sullivan and his team had paid the hackers $100,000, an usually large sum for the big bounty program, Mr. Khosrowshahi said.
“Based on the facts that I had learned, we had an obligation to disclose” the incident to regulators, he said on the stand. “These security issues are serious, and if there is the potential of an obligation for disclose, you have to. People are affected by this.”
Uber discovered that it had been breached again on Thursday when a hacker announced their presence in the company’s workplace messaging system, Slack. The hacker claimed to have access to numerous internal systems used by the company to manage its data, code and communications. Uber shut down Slack and other corporate systems on Thursday evening as it investigated the extent of the breach, and notified law enforcement.
On Friday, Uber said it had found no evidence that the hacker had gained access to “sensitive user data” like trip history. All of its services, including its flagship app and Uber Eats, its food delivery service, were functioning, the company said.
Kate Conger contributed reporting.