Uber was hacked last year, the company disclosed yesterday. Two hackers stole the contact information for 57 million people and the driver’s-license numbers for 600,000 drivers. In the hierarchy of data value, this stuff is not high up on the list. And the breadth of the hack also pales in comparison to other recent breaches at Yahoo and Equifax.
But it’s what happened after the hack that is drawing condemnation. Uber did not report the breach to regulators, as new CEO Dara Khosrowshahi now acknowledges they should have. And then they paid $100,000 to the hackers to keep quiet. And then they tried to make it seem as if the payment was a “bug bounty” paid as part of their normal security-testing operations, The New York Times reported. The hackers were even asked to sign nondisclosure agreements.
It’s pretty ugly.
While it is widely acknowledged that companies (and civic entities) pay ransoms to hackers, it is considered poor form. It’s also poor form—as well as possibly illegal—not to notify victims of data breaches. And it’s also poor form to essentially fake a bug bounty.
In one version of this narrative, this can all be laid at the feet of Travis Kalanick, the deposed ruler of Uber who retains a board seat himself and a few other seats stuffed with his handpicked members.
But the man who lost his job over the hack is Joe Sullivan, who was the company’s Chief Security Officer. In October, Bloomberg reported that Sullivan “runs a unit where Uber devised some of the most controversial weapons in its arsenal. Uber’s own board is now looking at Sullivan’s team, with the help of an outside law firm.”
In fact, it would not be surprising if that probe led to this disclosure.
From the start of Uber’s troubles, many in tech have tried to isolate the company from the herd. They did not want Uber’s culture to reflect on the tech industry more broadly.
But Sullivan was not a Kalanick stalwart. He only arrived at Uber in April of 2015. He began his tech career with four years at eBay, went to PayPal for 2.5 years, and then spent over six years at Facebook before being poached by Uber. Bloomberg’s reporting indicates that Sullivan’s role from nearly the moment he arrived at Uber was as “the keeper of some of Uber’s darkest secrets.”
Some public commentators seem to think Uber’s response to this data breach is abhorrent and unusual. But, then how could a guy so deeply integrated into several major Silicon Valley companies have pushed it forward?
Doesn’t it make sense to ask what attitudes and procedures Sullivan brought over from Facebook (and eBay and PayPal)?
This is the man who was responsible for security at the company that has amassed more data about people and their relationships and interests than any other in history. Either Uber corrupts all on contact or the integrity problems reach deeper into tech than the industry is willing to admit.
We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.
