Covered up hack, paid hackers to delete data, and failed to disclose to regulators

In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers) (details).

Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.

Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.

Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”

Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).

Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.

Uber’s statement

In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.

Board hired law firm to investigate internal competitive intelligence efforts

Bloomberg reports that Uber’s board hired an external law firm “to question security staff and investigate activities” overseen by Joe Sullivan, Uber’s Chief Security Officer. Bloomberg says the investigation specifically included COIN, the Competitive Intelligence program whereby Uber collected information about drivers and activity at Grab (via a system Uber called Surfcam) as well as Lyft (via Hellother Sullivan efforts including surveilling competitors and certain employees, as well as vetting potential hires.

Security officer designated as attorney

Bloomberg reports that Uber’s Chief Security Officer, Joe Sullivan, was also assigned the title of deputy general counsel. Bloomberg notes the importance of this designation: it “could allow him to assert attorney-client privilege on his communications with colleagues and make his e-mails more difficult for a prosecutor to subpoena.”

Hired private investigators to monitor employee, surveil competitors, and vet potential hires

Bloomberg reports that Uber hired private investigators to monitor an employee, China strategy chief Liu Zhen. It seems Uber’s concern was that Liu’s cousin Jean Liu is president of ride-hailing competitor Didi Chuxing.

Bloomberg further reports Uber surveilling competitors, and conducting “extensive vetting on potential hires.”

The use of private investigators was overseen by Joe Sullivan, Uber’s Chief Security Officer, through a team called Strategic Services Group.

Tracked driver activity on Lyft servers

News site The Information in April 2017 reported that Uber built a program it called “Hell” to track how many Lyft drivers were available, where they were located, and whether they drove for Uber also.  Uber then targeted these drivers with special promotions to encourage them to use Uber only.

By all indications, Uber collected data for “Hell” by connecting to Lyft’s servers in a manner prohibited by Lyft’s Terms of Service.

The Information reported that Uber then-CEO Travis Kalanick personally praised the Hell team, saying that they demonstrated Uber’s culture in their willingness to “hustle” in order to win.

In September 2017, the Wall Street Journal reported the FBI investigating Uber’s “Hell” practices.

Bloomberg reports that Hell was overseen by Joe Sullivan, Chief Security Officer of Uber, through a team formerly known as Competitive Intelligence.

See also the “Surfcam” program whereby Uber tracked data from Grab.

Hired a private investigator to investigate litigation adversaries

Uber hired a private investigator to interview friends and colleagues of Stephen Meyer, plaintiff in class action litigation against Uber, as well as Meyer’s attorneys.  Interviewing acquaintances and professional colleagues, the PI falsely claimed to be “profiling top up-and-coming” leaders and conducting “real estate market research.”  When plaintiff’s counsel learned about these inquiries and asked Uber’s counsel whether Uber had hired a PI, Uber attorneys claimed “Whoever is behind these calls, it is not us.”  But as evidence mounted, Uber eventually admitted to having initiated the investigation.

In criticizing Uber’s decision to “hire unlicensed private investigators to conduct secret personal investigation of both the plaintiff and his counsel” as well as the “blatant misrepresentations” and “false pretenses” of the investigation, federal judge Jed Rakoff found “sufficient basis to suspect that Ergo had committed fraud in investigating plaintiff through the use of false pretenses” and that Uber’s instructions had furthered the fraud.  Uber paid an undisclosed sum to plaintiff and plaintiff’s attorneys to resolve this misconduct.

Rakoff’s decision indicates that Uber’s investigation of Meyer and his attorneys was initiated by Uber then-General Counsel Salle Yoo who sought assistance from Chief Security Officer Joe Sullivan.

Private investigator’s report.  Uber staff communicated with private investigator using Wickr, a self-deleting messaging app, though some messages were recovered during subsequent litigation.

Meyer v. Kalanick – litigation docket