In November 2017, with Dara Khosrowshahi a few months into his job as Uber CEO, the ride-hailing company came to me with some explosive information: The company claimed that during Travis Kalanick’s time as CEO, Uber had covered up a massive data breach. Hackers had downloaded sensitive information about Uber’s riders and drivers, and the company’s chief security officer, Joe Sullivan, had kept it under wraps by paying the hackers $100,000. Uber fired Sullivan and one of the company’s lawyers.
I published the exclusive story with the headline, Uber Paid Hackers to Delete Stolen Data on 57 Million People.
Cyber security reporters have — for years — raised questions about the Khosrowshahi regime’s story. Sullivan tried to frame the $100,000 payout as part of the company’s white hat bug bounty program. And Sullivan’s defenders argued that Kalanick era Uber’s effort to conceal the payout — at a time when it was under investigation by the Federal Trade Commission over a prior data breach — looks even less anomalous today in a world where companies pay ransoms to hackers all the time.
So I’ve watched the case closely over the years to see whether I’d been had.
Had Khosrowshahi and crew whipped up a fake scandal? (I never quite understood why they would need to — Kalanick era Uber already had so many.)
Over the years, the legal system has consistently validated Khosrowshahi era Uber’s account.
In 2018, Uber reached a $148 million settlement with 50 states and the District of Columbia over its handling of the data breach.
In 2019, two men pleaded guilty to the Uber hack.
In 2020, the Justice Department indicted Sullivan, a former federal prosecutor, for his handling of the hack.
Finally, last week a jury found Sullivan guilty of both counts that prosecutors brought against him. (Those charges were obstruction of the Federal Trade Commission and misprision of a felony.)
Still, parts of the cyber security world defended Sullivan’s actions.
Joseph Menn, the well-respected cyber security reporter for the Washington Post and author of Cult of the Dead Cow, recently quoted security experts raising concerns about the potential ramifications of the guilty verdict.
Most security professionals had been anticipating Sullivan’s acquittal, noting that he had kept the CEO and others who were not charged informed of what was happening.
“Personal liability for corporate decisions with executive stakeholder input is a new territory that’s somewhat uncharted for security executives,” said Dave Shackleford, owner of Voodoo Security. “I fear it will lead to a lack of interest in our field, and increased skepticism about infosec overall.”
John Johnson, a “virtual” chief information security officer for multiple companies, agreed. “Your company leadership could make choices that can have very personal repercussions to you and your lifestyle,” he said. “Not saying everything Joe did was right or perfect, but we can’t bury our head and say it will never happen to us.”
So Tom Dotan and I invited Menn onto the Dead Cat podcast to get his perspective on Sullivan’s conviction. We also asked Menn about crypto currency hacks, Cult of the Dead Cow, and Twitter’s whistleblower.