A federal judge ordered Uber Technologies Inc. to turn over unredacted documents that could reveal more details about how company brass responded to a 2016 data breach, which led to costly legal battles for the ride-sharing giant and criminal charges for its then-security chief over a cover-up.
Judge William Orrick of the U.S. District Court for the Northern District of California said hundreds of internal communications sought by Uber’s former chief security officer may be necessary for his defense against allegations that he tried to mislead U.S. officials about the incident.
Joseph Sullivan is accused of attempting to conceal an incident in which Uber allegedly paid hackers $100,000 in bitcoin to destroy stolen data about 57 million passengers and drivers. He has pleaded not guilty.
Some security experts view the case as pivotal in determining corporate officers’ legal liability for their handling of cyberattacks—and evidence that security chiefs should push for built-in safeguards from their employers.
“When you’re negotiating your contract, should you make sure you have strong liability protection? I would,” said Patrick Gaul, executive director of the National Technology Security Coalition, a trade group that advocates for chief information security officers.
Lawyers for Mr. Sullivan and Uber will review the unredacted records to determine whether they are relevant to his defense, the judge said Tuesday. The order comes despite objections from federal prosecutors and Uber, which argued the documents were protected by attorney-client privilege as well as the work-product doctrine for materials that are prepared in anticipation of litigation.
Lawyers for Mr. Sullivan in court filings said about 660 unredacted emails and other communications will show that at least two dozen Uber officials from legal, public relations and other teams took part in the company’s response to the 2016 breach. That included allegedly withholding information from Federal Trade Commission investigators who were concurrently probing a 2014 breach.
The documents could show a “thus-far successful effort to scapegoat Sullivan for conduct known and approved at the highest level of the company and within its Legal department,” Mr. Sullivan’s lawyers said in court documents. Uber fired Mr. Sullivan in 2017.
Judge Orrick on Tuesday ordered the legal teams to keep the documents confidential during their review. It is unclear if any will be made public if the case goes to trial.
Uber, the federal prosecutor’s office and Mr. Sullivan’s lawyers didn’t respond to requests for comment. Travis Kalanick, Uber’s chief executive at the time of the 2016 breach, couldn’t immediately be reached for comment.
The order is the latest twist in yearslong fallout from the incident, in which Mr. Sullivan allegedly arranged to pay off two hackers through a bug bounty program typically used to reimburse legitimate security researchers who find vulnerabilities. In return, prosecutors allege, the hackers were required to sign nondisclosure agreements and destroy stolen data that included email addresses, phone numbers and driver’s license numbers. Two men later pleaded guilty to charges that they carried out the hack and extortion scheme.
Uber CEO Dara Khosrowshahi disclosed the breach in 2017 as the company pursued a deal for SoftBank Group Inc. to buy a 15% stake. In 2018, the ride-hailing company struck a $148 million settlement with attorneys general from all 50 states and the District of Columbia over allegations that it failed to properly report a breach of consumer data.
Federal prosecutors in 2020 charged Mr. Sullivan with obstruction of justice and concealing a felony, and added three wire fraud counts last year. Lawyers for Mr. Sullivan, who in 2018 became chief security officer for cloud-infrastructure provider Cloudflare Inc., motioned this month to dismiss the wire fraud charges.
Write to David Uberti at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
