Covered up hack, paid hackers to delete data, and failed to disclose to regulators

In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers) (details).

Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.

Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.

Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”

Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).

Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.

Uber’s statement

In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.

Sought to conceal embarrassing court proceedings from the public

In Google’s lawsuit against Uber as to alleged theft of self-driving car technology, Uber sought to hold a hearing in camera, closed to the public. Judge Alsup concluded that Uber sought confidentiality not for any proper purpose permitted under law, but to avoid embarrassment. From the court transcript for March 26, 2017:

Mr. Gonzalez (for Uber): Your Honor, the reason why we wanted it in chambers is because of the adverse impact that we think it would have on our client. If there’s a headline tomorrow saying this guy is asserting the Fifth Amendment —

The Court: Listen, please don’t do this to me again. There’s going to be a lot of adverse headlines in this case on both sides. And I can’t stop that.

[T]he public has a right — in fact, this whole transcript, I’m going to make it public.

Details in The Verge

Waymo v. Uber litigation docket

Then-General Counsel Salle Yoo “expressed reservations” about acquisition of Otto

In summer 2016, Uber then-CEO Travis Kalanick sought to acquire a startup called Otto which specialized in self-driving vehicles. According to Bloomberg, then-General Counsel Salle Yoo “expressed reservations about the deal” and insisted on hiring Stroz Friedberg (cyber investigators) to assess any impropriety including the possibility, already known to her and Kalanick, that Otto co-founder Anthony Levandowski was bringing files from Google, his former employer.

Bloomberg reports that Uber’s board wasn’t aware of these concerns, the Stroz findings, or Levandowski’s retention of Google files.

Board hired law firm to investigate internal competitive intelligence efforts

Bloomberg reports that Uber’s board hired an external law firm “to question security staff and investigate activities” overseen by Joe Sullivan, Uber’s Chief Security Officer. Bloomberg says the investigation specifically included COIN, the Competitive Intelligence program whereby Uber collected information about drivers and activity at Grab (via a system Uber called Surfcam) as well as Lyft (via Hellother Sullivan efforts including surveilling competitors and certain employees, as well as vetting potential hires.

Security officer designated as attorney

Bloomberg reports that Uber’s Chief Security Officer, Joe Sullivan, was also assigned the title of deputy general counsel. Bloomberg notes the importance of this designation: it “could allow him to assert attorney-client privilege on his communications with colleagues and make his e-mails more difficult for a prosecutor to subpoena.”

Hired private investigators to monitor employee, surveil competitors, and vet potential hires

Bloomberg reports that Uber hired private investigators to monitor an employee, China strategy chief Liu Zhen. It seems Uber’s concern was that Liu’s cousin Jean Liu is president of ride-hailing competitor Didi Chuxing.

Bloomberg further reports Uber surveilling competitors, and conducting “extensive vetting on potential hires.”

The use of private investigators was overseen by Joe Sullivan, Uber’s Chief Security Officer, through a team called Strategic Services Group.

Kalanick “promoted” then-General Counsel Yoo to sideline her

As then-Genreal Counsel Salle Yoo pushed for Uber to comply with the law, then-CEO Travis Kalanick reassigned her from General Counsel to Chief Legal Officer. Kalanick styled this as a promotion, but Bloomberg says his “true intention was to sideline her from daily decisions” (based on assessment from two employees who worked closely with them).

Legal department “spirit of rule-breaking”

Bloomberg reported that then-CEO Travis Kalanick encouraged then-General Counsel Salle Yoo to create a legal department with what Bloomberg called a “spirit of rule-breaking.” In a performance review, Kalanick told Yoo she needed to be more “innovative.” Bloomberg reports that Yoo considered herself “liberated” by not having to follow “best practices,” being allowed “to do things the way I think things should be done, rather than the way other people do it.” But Bloomberg says Yoo failed to challenge Kalanick and his deputies, or raise objections to Uber’s board.

Due diligence report on Otto and Anthony Levandowski revealed copying of Google information

Forensics firm Stroz Friedberg investigated the information Anthony Levandowski allegedly took from Google and whether or how it was destroyed. Stroz’s report conveys Levandowski’s admission that he had five discs of Google information which he says he destroyed (a claim Stroz was unable to verify).

Stroz found about 50,000 Google work emails on Levandowski’s personal computer, and there was evidence that he accessed some of the emails at about the same time he left Google, making it “difficult to believe” that he could not remember having those emails, as he claimed when interviewed.

Stroz found that Levandowski accessed certain Google files after his departure, then deleted them. Stroz also found evidence of Levandowski searching for instructions on secure file deletions, and telling coworkers to delete messages from him. These deletions are consistent with an attempt to destroy confidential Google information that Levandowski should not have had, but also consistent with a cover-up of information previously received and used.

A Google spokesperson said in a statement: “The Stroz Report unequivocally shows that, before it acquired his company, Uber knew Anthony Levandowski had a massive trove of confidential Waymo source code, design files, technical plans and other materials after leaving Google; that he stole information deliberately, and repeatedly accessed it after leaving Waymo; and that he tried to destroy the evidence of what he had done. In addition, Mr. Levandowski used his smartphone to take thousands of covert photographs of computer screens displaying Google confidential files. Knowing all of this, Uber paid $680 million for Mr. Levandowski’s company, protected him from legal action, and installed him as the head of their self-driving vehicle program.”