cover-ups – Uber Scandals

November 9, 2024November 9, 2024

Chief Security Officer Convicted of Obstruction

A federal jury convicted Joe Sullivan, former Chief Security Officer of Uber, for obstructing FTC proceedings in connection with his attempted cover-up of a 2016 hack of Uber. See the 2016 incident in which Sullivan paid a hacker who had infiltrated Uber systems.

A US Attorney’s Office press release explains:

[S]hortly after learning the extent of the 2016 breach and rather than reporting it to the FTC, any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC. For example, Sullivan told a subordinate that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist.” Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack. Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers had refused to provide their true names. Uber was ultimately able to identify the two hackers in January of 2017 and required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else. …

The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them. Instead, he touted the work that he and his team had done on data security. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016, supported fully by Sullivan, without disclosing the 2016 data breach to the FTC.

In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO that had happened, Sullivan lied, falsely telling the CEO that the hackers had only been paid after they were identified and deleting from a draft summary prepared by one of his reports that the hack had involved personally identifying information and a very large quantity of user data. Sullivan lied again to Uber’s outside lawyers conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017. …

In finding Sullivan guilty, the jury concluded he obstructed justice, in violation of 18 U.S.C. § 1505, and that he committed misprision of felony (i.e., knew that a federal felony had been committed and took affirmative steps to conceal that felony), in violation of 18 U.S.C. § 4.

In 2003, Sullivan was sentenced to three years’ probation and a $50,000 fine.

November 8, 2024November 8, 2024

Mass deletion of internal data

Mike Isaac’s Super Pumped (p. 312) reports deletion of internal documents:

Employees were unnerved by mass deletion of internal emails, group chats, and company data, carried out under an internal initiative to “eliminate data waste” throughout all levels of the company. Internally, many believed executives wanted to cover Uber’s tracks, anticipating a subpoena for some unknown future court case.

November 8, 2024November 8, 2024

Self-driving car ran a red light, but Uber falsely said an employee was driving

During the period in which Uber operated self-driving cars in California without a permit, a bystander observed an Uber vehicle run a red light without stopping. Uber initially claimed the incident was human error. But the self-driving car was in fact driving itself, according to two Uber employees and based on Uber documents viewed by the New York Times.

November 8, 2024November 8, 2024

2014 hack released data about drivers

Mike Isaac’s Super Pumped (p. 208, 215) reports a May 2014 hack in which the names and license numbers of more than 50,000 drivers were compromised. Uber kept the hack secret, although California law required notifying authorities of a data breach.

Under guidance from new Chief Security Joe Sullivan, Uber finally reported the breach in February 2015, nine months after it occurred.

November 8, 2024November 8, 2024

Circumvented Apple’s privacy protections on IMEI device IDs

Mike Isaac’s Super Pumped (p. 193, 200, 203-204) explains how Apple concealed phones’ IMEI device IDs, but Uber found a way to circumvent this protection. Uber’s tactic increased its defenses against fake account scammers, but violated Apple’s rules regarding user privacy. To increase the likelihood that they’d be able to use this tactic, Uber kept it a secret — plus designed its circumvention code with “geofencing” so it would not function for users in greater San Francisco. But when an Apple tester outside California tested Uber’s app, Apple uncovered Uber’s ruse. Apple was angry not just about the circumvention of its privacy protections, but about the affirmative effort to avoid detection. Apple ultimately told Uber that if it ever again attempted this kind of deception, it would be kicked off of Apple devices permanently.

March 12, 2018November 8, 2024

Kalanick criticized SVP Whetstone for reporting escort bar visit to investigators

After Uber then-CEO Travis Kalanick and colleagues visited an escort bar and tried to cover it up when asked, one person who had been there contacted Rachel Whetstone, then Uber’s senior vice-president of communications and public policy, seeking guidance. Whetstone in turn reported the matter to Uber’s attorneys, who turned it over to Eric Holder, who was at the time investigating possible improprieties at Uber.

Business Insider described Kalanick’s response:

Kalanick was not pleased. As his head of PR, he felt Whetstone was supposed to be defending the company from stories like these, not be part of them.

BI continued, explaining how some at Uber saw Whetstone as “difficult to work with … or even irrational,” but others saw her “speaking truth to power”:

One employee described her as “intellectually honest.” Whetstone was already rich from her years at Google and wasn’t under the spell of potential wealth, which drove other top players at Uber. “That made her feel like she could speak truth to power with Travis,” a former executive said. “She wasn’t part of the group of yes-men who would never disagree with him.”

For her part, Whetstone had become disillusioned with Uber. In her role as a powerful woman in the company, she was someone who many troubled employees and other insiders felt comfortable venting to. As these people shared stories with her, Whetstone began to see Uber differently. She became angry.

She saw a company that needed to grow up, but that under Kalanick wouldn’t.

Ultimately Whetstone resigned and Kalanick accepted her resignation. BI reports that Whetstone’s exit package included millions of dollars worth of stock as well as keeping Whetstone on as a consultant to save face.

March 7, 2018April 12, 2018

Regulators sued Uber for failing to disclose data breaches

After a data breach in which hackers stole data from about 600,000 drivers globally, for which Uber paid a ransom to hackers but did not notify affected drivers, regulators pursued Uber’s violation of applicable law, including state laws about notifying those subject to data breaches.

The FTC filed a revised complaint adding additional concerns to a prior action against Uber. Uber responded by agreeing to expand its prior settlement with the FTC over charges that it deceived consumers about its privacy and data security practices. The FTC specifically criticized Uber for failing to disclose the breach to the FTC until November 2017, fully a year after the breach occurred, even though the FTC was already investigating other Uber data security practices.
Pennsylvania sued, threatening a penalty of up to $13.5 million ($1000 for each of the 13,500 Pennsylvania drivers affected).
The city of Chicago also sued (complaint), seeking $10,000 per day for each day that Uber violated the state’s disclosure ordinance, as well as $50,000 for violating the Illinois Consumer Fraud Act.

January 18, 2018

Kalanick asked security team to examine employee email for leaks

While on leave, Kalanick asked Uber’s security team to examine an employee’s email to see if that person was leaking information related to a damaging story.

See Bloomberg report.

December 15, 2017

Acting US Attorney confirmed a “pending criminal investigation” of Uber

A December 2017 letter confirmed a “pending criminal investigation” against Uber by the US Attorney’s Office of the Northern District of California. This was the first official confirmation of such an investigation.

The letter indicated that the US Attorney’s Office had interviewed ex-Uber security analyst Richard Jacobs. See Jacobs’ allegations.

December 2, 2017

Complained of “extortion” by a former employee, but paid $7.5 million anyway

When former employee Richard Jacobs sent a demand letter alleging possible criminal behavior by the Uber team where he previously worked, Uber viewed the claims as extortion. Uber deputy general counsel Angela Padilla said Jacobs’ claims were “extortionate.” Yet Uber paid Jacobs $4.5 million ($2 million upfront, $1.5 million in stock, and an additional $1 million to consult with the company and cooperate in any investigations over the course of the next year), plus an additional $3 million to his attorney.

Concerns resulting from Jacobs’ letter and the practices he reported