Dara Khosrowshahi, Uber’s chief government, stated in court docket on Friday that he had fired Joe Sullivan, the previous Uber safety chief who’s on trial over a 2016 safety breach, as a result of he may not belief him.
“He was my chief safety officer, and I couldn’t belief his judgment anymore,” Mr. Khosrowshahi stated of Mr. Sullivan. “I assumed the choice to not disclose” the breach “was the mistaken resolution.”
Mr. Khosrowshahi was a star witness on the trial of Mr. Sullivan, who has been accused of obstructing justice for failing to reveal the 2016 breach, which affected the Uber accounts of greater than 57 million riders and drivers. Mr. Sullivan’s legal professionals have argued that Uber’s administration group, led by Mr. Khosrowshahi, unfairly focused him as the corporate labored to recast its picture after the freewheeling reign of its former chief government, Travis Kalanick.
He stated that he fired Mr. Sullivan in 2017 as a result of Mr. Sullivan misled him in an e mail concerning the 2016 incident. Mr. Khosrowshahi added that Uber later reported the incident to regulators as a result of it was in the most effective curiosity of the general public.
The result of the trial may change how professionals deal with safety incidents, consultants have stated. Many imagine that Mr. Sullivan is the primary firm government to face felony prosecution for a knowledge breach.
The hack was found in 2016, whereas the Federal Commerce Fee was investigating a earlier information breach at Uber. Mr. Sullivan obtained an e mail from a hacker claiming he had discovered a significant safety vulnerability in Uber’s on-line techniques and that he was capable of obtain info from the corporate.
A couple of day later, Mr. Sullivan realized that the hacker had downloaded a database containing the private information of about 600,000 Uber drivers and extra private info related to 57 million riders and drivers, based on court docket testimony and paperwork.
Mr. Sullivan and his group finally referred the hacker and an confederate to Uber’s bug bounty program, a typical approach of paying safety researchers to establish and report safety vulnerabilities. By means of this system, Uber paid the hackers $100,000 and had them signal nondisclosure agreements.
Uber didn’t publicly disclose the incident or inform the F.T.C. till after Mr. Khosrowshahi took over as chief government within the fall of 2017. The 2 hackers finally pleaded responsible to hacking.
Most states require firms to reveal safety breaches if hackers obtain personally identifiable information and a sure variety of customers are affected. There isn’t a federal regulation requiring firms or executives to disclose breaches to regulators.
Federal prosecutors accused Mr. Sullivan of concealing a felony for failing to reveal the breach to the F.T.C. whereas the corporate was already below investigation by the company.
“Lots of people are actually scared about what prosecuting Joe Sullivan means for safety professionals,” stated Whitney Merrill, a longtime safety and privateness skilled and lawyer who beforehand frolicked at F.T.C. “However I feel this can be a lesson for any excessive degree official who should talk with the federal government: You’ll be able to’t deal with communications with the federal government prefer it’s no huge deal.”
Mr. Khosrowshahi stated that after he took over as Uber’s chief government, he realized concerning the information breach and requested Mr. Sullivan to supply further particulars over e mail.
Mr. Sullivan despatched an e mail to Mr. Khosrowshahi just a few days later, based on court docket testimony and paperwork. Later, after asking exterior companies to analyze the matter, Mr. Khosrowshahi realized the e-mail didn’t acknowledge that the hackers had downloaded private details about drivers and riders.
He stated he additionally realized that the e-mail had not disclosed that Mr. Sullivan and his group had paid the hackers $100,000, an often giant sum for the large bounty program, Mr. Khosrowshahi stated.
“Primarily based on the information that I had realized, we had an obligation to reveal” the incident to regulators, he stated on the stand. “These safety points are critical, and if there’s the potential of an obligation for disclose, you must. Individuals are affected by this.”
Uber found that it had been breached once more on Thursday when a hacker introduced their presence within the firm’s office messaging system, Slack. The hacker claimed to have entry to quite a few inside techniques utilized by the corporate to handle its information, code and communications. Uber shut down Slack and different company techniques on Thursday night because it investigated the extent of the breach, and notified regulation enforcement.
On Friday, Uber stated it had discovered no proof that the hacker had gained entry to “delicate consumer information” like journey historical past. All of its companies, together with its flagship app and Uber Eats, its meals supply service, have been functioning, the corporate stated.
Kate Conger contributed reporting.