Category: Joe Sullivan

Joe Sullivan, Chief Security Officer of Uber

Posted on

Fired Chief Security Officer Joe Sullivan

Mike Isaac’s Super Pumped (p.396) reports new Uber chief legal officer Tony West fired Chief Security Officer Joe Sullivan for the 2016 incident in which Sullivan paid a hacker who had infiltrated Uber systems.  In West’s view, this was an improper payment, and Sullivan should have sought legal advice and informed authorities of the breach.  In Sullivan’s view, paying a hacker was legitimate.

Uber asked Sullivan to sign a non-disparagement agreement in exchange for a severance payment. When Sullivan refused to sign, Uber leaked the story to a reporter, calling the payment a cover-up operation to pay off hackers and hide evidence from consumers.  West’s view was vindicated when Sullivan was convicted of federal charges in 2022.

Posted on

Chief Security Officer Convicted of Obstruction

A federal jury convicted Joe Sullivan, former Chief Security Officer of Uber, for obstructing FTC proceedings in connection with his attempted cover-up of a 2016 hack of Uber.  See the 2016 incident in which Sullivan paid a hacker who had infiltrated Uber systems.

A US Attorney’s Office press release explains:

[S]hortly after learning the extent of the 2016 breach and rather than reporting it to the FTC, any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC. For example, Sullivan told a subordinate that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist.” Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack. Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers had refused to provide their true names. Uber was ultimately able to identify the two hackers in January of 2017 and required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else. …

The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them. Instead, he touted the work that he and his team had done on data security. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016, supported fully by Sullivan, without disclosing the 2016 data breach to the FTC.

In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO that had happened, Sullivan lied, falsely telling the CEO that the hackers had only been paid after they were identified and deleting from a draft summary prepared by one of his reports that the hack had involved personally identifying information and a very large quantity of user data. Sullivan lied again to Uber’s outside lawyers conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017. …

In finding Sullivan guilty, the jury concluded he obstructed justice, in violation of 18 U.S.C. § 1505, and that he committed misprision of felony (i.e., knew that a federal felony had been committed and took affirmative steps to conceal that felony), in violation of 18 U.S.C. § 4.

In 2003, Sullivan was sentenced to three years’ probation and a $50,000 fine.

Posted on

2014 hack released data about drivers

Mike Isaac’s Super Pumped (p. 208, 215) reports a May 2014 hack in which the names and license numbers of more than 50,000 drivers were compromised.  Uber kept the hack secret, although California law required notifying authorities of a data breach.

Under guidance from new Chief Security Joe Sullivan, Uber finally reported the breach in February 2015, nine months after it occurred.

Posted on

Covered up 2016 hack, paid hackers to delete data, and failed to disclose to regulators

In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers). Details from Uber. A subsequent FTC investigation found that more than 25 million names and email addresses, and more than 22 million names and phone numbers, were affected.

Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.

Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.

Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”

Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).

Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.

Uber’s statement

In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.

Posted on

Board hired law firm to investigate internal competitive intelligence efforts

Bloomberg reports that Uber’s board hired an external law firm “to question security staff and investigate activities” overseen by Joe Sullivan, Uber’s Chief Security Officer. Bloomberg says the investigation specifically included COIN, the Competitive Intelligence program whereby Uber collected information about drivers and activity at Grab (via a system Uber called Surfcam) as well as Lyft (via Hellother Sullivan efforts including surveilling competitors and certain employees, as well as vetting potential hires.

Posted on

Security officer designated as attorney

Bloomberg reports that Uber’s Chief Security Officer, Joe Sullivan, was also assigned the title of deputy general counsel. Bloomberg notes the importance of this designation: it “could allow him to assert attorney-client privilege on his communications with colleagues and make his e-mails more difficult for a prosecutor to subpoena.”

Posted on

Hired private investigators to monitor employee, surveil competitors, and vet potential hires

Bloomberg reports that Uber hired private investigators to monitor an employee, China strategy chief Liu Zhen. It seems Uber’s concern was that Liu’s cousin Jean Liu is president of ride-hailing competitor Didi Chuxing.

Bloomberg further reports Uber surveilling competitors, and conducting “extensive vetting on potential hires.”

The use of private investigators was overseen by Joe Sullivan, Uber’s Chief Security Officer, through a team called Strategic Services Group.

Posted on

Tracked driver activity on Lyft servers

News site The Information in April 2017 reported that Uber built a program it called “Hell” to track how many Lyft drivers were available, where they were located, and whether they drove for Uber also.  Uber then targeted these drivers with special promotions to encourage them to use Uber only.

By all indications, Uber collected data for “Hell” by connecting to Lyft’s servers in a manner prohibited by Lyft’s Terms of Service.

The Information reported that Uber then-CEO Travis Kalanick personally praised the Hell team, saying that they demonstrated Uber’s culture in their willingness to “hustle” in order to win.

In September 2017, the Wall Street Journal reported the FBI investigating Uber’s “Hell” practices.

Bloomberg reports that Hell was overseen by Joe Sullivan, Chief Security Officer of Uber, through a team formerly known as Competitive Intelligence.

See also the “Surfcam” program whereby Uber tracked data from Grab.

Posted on

Hired a private investigator to investigate litigation adversaries

Uber hired a private investigator to interview friends and colleagues of Stephen Meyer, plaintiff in class action litigation against Uber, as well as Meyer’s attorneys.  Interviewing acquaintances and professional colleagues, the PI falsely claimed to be “profiling top up-and-coming” leaders and conducting “real estate market research.”  When plaintiff’s counsel learned about these inquiries and asked Uber’s counsel whether Uber had hired a PI, Uber attorneys claimed “Whoever is behind these calls, it is not us.”  But as evidence mounted, Uber eventually admitted to having initiated the investigation.

In criticizing Uber’s decision to “hire unlicensed private investigators to conduct secret personal investigation of both the plaintiff and his counsel” as well as the “blatant misrepresentations” and “false pretenses” of the investigation, federal judge Jed Rakoff found “sufficient basis to suspect that Ergo had committed fraud in investigating plaintiff through the use of false pretenses” and that Uber’s instructions had furthered the fraud.  Uber paid an undisclosed sum to plaintiff and plaintiff’s attorneys to resolve this misconduct.

Rakoff’s decision indicates that Uber’s investigation of Meyer and his attorneys was initiated by Uber then-General Counsel Salle Yoo who sought assistance from Chief Security Officer Joe Sullivan.

Private investigator’s report.  Uber staff communicated with private investigator using Wickr, a self-deleting messaging app, though some messages were recovered during subsequent litigation.

Meyer v. Kalanick – litigation docket

Proudly powered by WordPress