Cyber-security, cover-ups and this guy…

Joe Sullivan was the head of security for Uber, the same title he held at his previous employer, Facebook. His major accomplishment while at Uber, should he care to put it on his resume, is that he paid hackers $100,000 in October 2016 to delete the data they had stolen that contained all the information Uber captures for its 57 million drivers and riders. Sullivan even went the extra mile to cover ‘hack tracks’ and with the approval of former CEO Travis Kalanick, made the hackers sign non-disclosure agreements

 “To further conceal the damage, Uber executives also made it appear as if the payout had been part of a ‘bug bounty,’” (a bug bounty is a reward that many companies will pay to someone who discovers a software vulnerability)  The New York Times reporting

Uber fired Sullivan and says his actions violated disclosure laws. After the news came out, some security experts defended Sullivan, saying that $100,000 was a low price to pay for protecting 57 million users. I call bullshit, do the hackers offer a money back guarantee that the they didn’t keep some copy of the data. What the payout bought was intended only to shave bad press at a time Uber was also in the middle of negotiating with the Federal Trade Commission (FTC) for failing to disclose an unrelated data breach in 2014.

• Uber has a documented habit of surveilling people it deems to be a potential threat, including employees, competitors, and its opponents in court. Sullivan was the one to order underlings to dig up dirt on the conservationist Stephen Meyer, who sued Uber for price-fixing.
• Sullivan operated autonomously and secretly by becoming Uber’s deputy general counsel, which let him assert attorney-client privilege on his communications with colleagues and make his e-mails more difficult for a prosecutor to subpoena
• Sullivan was in charge of a team formerly known as Competitive Intelligence or COIN which oversaw projects like “Hell,” which spied on Lyft drivers. Sullivan shut down Hell but kept other programs like it, and COIN was renamed to Marketplace Analytics and then again to Marketplace Integrity.The 57 million-person hack came to light because Uber’s board hired a law firm to investigate Sullivan’s teams, including COIN.
• Former Uber employees allege that Sullivan encouraged his teams to use ephemeral messaging apps in order to “make sure we didn’t create a paper trail that would come back to haunt the company in any potential criminal or civil litigation.”

He started his career as a federal prosecutor focused on tech cases during the internet boom. He then became head of trust and safety at Ebay, where he oversaw PayPal and Skype. In 2003 he came under fire after he bragged about Ebay’s deep data on its users and “flexible” privacy policy to attendees at a law enforcement conference in a recording that was leaked to Haaretz,. At Facebook his team would track down hackers themselves when they deemed law enforcement was being too slow. In 2013 he was tapped to be an inaugural member of Airbnb’s Trust & Safety Board. In 2016, he was named to President Obama’s 12-member cybersecurity council which then produced a 100-page report titled COMMISSION ON ENHANCING NATIONAL CYBERSECURITY.

Uber is now the target of at least three potential class action lawsuits, at least five state attorney general investigations, and an inquiry by the FTC because of Sullivan’s decision to pay off hackers and the cover ups.

 

 

 

h/t The Outline