Uber's Data Breach & Security Cover-Up Scandal
Uber Ordered to Produce Records About 2016 Hack and Cover-Up

Former security chief seeks documents to battle criminal charges that he misled officials

A federal judge ordered Uber Technologies Inc. to turn over unredacted documents that could reveal more details about how company brass responded to a 2016 data breach, which led to costly legal battles for the ride-sharing giant and criminal charges for its then-security chief over a cover-up.

Judge William Orrick of the U.S. District Court for the Northern District of California said hundreds of internal communications sought by Uber’s former chief security officer may be necessary for his defense against allegations that he tried to mislead U.S. officials about the incident.

Joseph Sullivan is accused of attempting to conceal an incident in which Uber allegedly paid hackers $100,000 in bitcoin to destroy stolen data about 57 million passengers and drivers. He has pleaded not guilty.

Some security experts view the case as pivotal in determining corporate officers’ legal liability for their handling of cyberattacks—and evidence that security chiefs should push for built-in safeguards from their employers.

“When you’re negotiating your contract, should you make sure you have strong liability protection? I would,” said Patrick Gaul, executive director of the National Technology Security Coalition, a trade group that advocates for chief information security officers.
Lawyers for Mr. Sullivan and Uber will review the unredacted records to determine whether they are relevant to his defense, the judge said Tuesday. The order comes despite objections from federal prosecutors and Uber, which argued the documents were protected by attorney-client privilege as well as the work-product doctrine for materials that are prepared in anticipation of litigation.

Lawyers for Mr. Sullivan in court filings said about 660 unredacted emails and other communications will show that at least two dozen Uber officials from legal, public relations and other teams took part in the company’s response to the 2016 breach. That included allegedly withholding information from Federal Trade Commission investigators who were concurrently probing a 2014 breach.

The documents could show a “thus-far successful effort to scapegoat Sullivan for conduct known and approved at the highest level of the company and within its Legal department,” Mr. Sullivan’s lawyers said in court documents. Uber fired Mr. Sullivan in 2017.

Judge Orrick on Tuesday ordered the legal teams to keep the documents confidential during their review. It is unclear if any will be made public if the case goes to trial.

Uber, the federal prosecutor’s office and Mr. Sullivan’s lawyers didn’t respond to requests for comment. Travis Kalanick, Uber’s chief executive at the time of the 2016 breach, couldn’t immediately be reached for comment.

The order is the latest twist in yearslong fallout from the incident, in which Mr. Sullivan allegedly arranged to pay off two hackers through a bug bounty program typically used to reimburse legitimate security researchers who find vulnerabilities. In return, prosecutors allege, the hackers were required to sign nondisclosure agreements and destroy stolen data that included email addresses, phone numbers and driver’s license numbers. Two men later pleaded guilty to charges that they carried out the hack and extortion scheme.

Uber CEO Dara Khosrowshahi disclosed the breach in 2017 as the company pursued a deal for SoftBank Group Inc. to buy a 15% stake. In 2018, the ride-hailing company struck a $148 million settlement with attorneys general from all 50 states and the District of Columbia over allegations that it failed to properly report a breach of consumer data.

Federal prosecutors in 2020 charged Mr. Sullivan with obstruction of justice and concealing a felony, and added three wire fraud counts last year. Lawyers for Mr. Sullivan, who in 2018 became chief security officer for cloud-infrastructure provider Cloudflare Inc., motioned this month to dismiss the wire fraud charges.

Here's the Daily's previous coverage on the Uber case:

December 22, 2021: Former Uber Chief Security Officer To Face Wire Fraud Charges

August 24, 2020: Watch: Former Uber CSO Charged With Covering Up 2016 Data Breach

August 21, 2020: Former Chief Security Officer For Uber Charged With Obstruction Of Justice

September 27, 2018: Uber Fined $148 Million for Breach Cover-Up

February 7, 2018
: Uber Paid Hackers $100K to Destroy Stolen Data on 57M people, Keep Quiet

December 1, 2017
: Three Uber security managers resign after CEO criticizes practices