Fired Uber attorney testifies against ex-security chief in trial over 2016 data breach cover-up
Fired Uber attorney testifies against ex-security chief in trial over 2016 data breach cover-up
A former top in-house attorney for Uber took the stand Wednesday in the criminal obstruction trial of ex-security chief Joseph Sullivan, testifying that his boss changed the language in a nondisclosure agreement with two hackers to cover up a serious data breach.
MARIA DINZEO / September 14, 2022
An Uber rider launches the app on a cellphone. (Pixabay image via Courthouse News)
SAN FRANCISCO (CN) — A onetime attorney for Uber who was fired for his role in a suspected coverup of a major 2016 data breach took the stand in the criminal criminal obstruction trial of his former boss on Wednesday, testifying that ex-security chief Joe Sullivan was responsible for changes to a nondisclosure agreement with two hackers that made the attack seem like a white hat vulnerability report.
Craig Clark was given immunity in exchange for testifying against Sullivan, who stands accused of concealing the breach from authorities and obstructing an investigation by the Federal Trade Commission into Uber’s security practices.
The 2016 hack that exposed the personal information of 57 million Uber users could not have come at a worse time for the company as it was already in the throes of an FTC probe stemming from a similar breach in 2014.
Under questioning by Assistant U.S. Attorney Andrew Dawson, Clark said he recalled Sullivan asking how the incident could be funneled through Uber’s bug bounty program where “researchers” are paid to find and report security flaws.
“I remember Joe asking or saying how can we fit this into bug bounty,” Clark said on the stand.
Did you take that as a directive to fit this into bug bounty?” Dawson asked, to which Clark answered “Yes.”
Clark testified that if the hack was classified as a bug bounty, the company would not be obligated to report it as a data breach.
“Was it your understanding if Mr. Sullivan was asking for legal advice or giving a directive?” Dawson asked.
“I took it as both,” Clark said. “It was — we need to fit this into bug bounty, how are we going to do it.”
Clark said this conversation happened after he found out that 600,000 driver’s license numbers had been exposed. When asked about his reaction to this knowledge, Clark said, “it was a big sigh and maybe an expletive that we were in reporting land. Once we knew we had drive;rs license numbers pretty much everybody knew the implications of that.”
But Clark said he got right to work figuring out a way to turn the breach into a bounty. After a couple of hours, he’d come up with a theory — Uber would treat the two hackers as employees or agents of the company. Of course, it would have to be post-dated. Also, “We had to get the data back, know who they were, make sure the information had not been disseminated,” Clark said. “We needed to have a relationship such as they could be referred to as agents.”
It was admittedly an aggressive plan, but Clark considered himself an aggressive lawyer. He came to the field at a later stage in life, having worked previously as a welder and a lineman for PG&E. But he graduated at the top of his class at UC Hastings Law School before joining the firm White & Case, where he advised tech companies on privacy issues. Then came a stint at Facebook, where he met Sullivan. “He was the golden boy of security. He was well known, very engaged and well respected in the community,” Clark said of his former mentor.
Clark said he so admired and respected Sullivan that when he departed Facebook and joined Uber, Clark wanted to go with him.
"I emailed Joe soon after he left and said, "Hey, I want to come too,” Clark said.
Several other Facebook employees jumped ship and joined them, including information security officer John “Four” Flynn, product security engineer Collin Greene and Mat Henley, who became Uber’s head of “threat ops.”
ADVERTISEMENT
Clark said so many people left Facebook for Uber that they became known was “Fubers.”
The whole team banded together to address the 2016 breach, but Clark said Sullivan’s level of involvement was unusually heavy. “He was fully engaged,” he said.
Clark testified that Sullivan stressed a need for strict secrecy to the response team, and that he would be communicating directly to the C-suite executives, known internally as the “A-Team.” This group included CEO Travis Kalanick, and General Counsel Salle Yoo. “From my perspective, this was all tightly controlled and the information was going up to A-Team who was making decisions so we were covered,” Clark said.
When Clark told Sullivan his theory, Sullivan replied that the A-Team had given the green light to treat the breach as a bug bounty. Clark proposed trying to negotiate down the hackers’ demand for $100,000, but Sullivan demurred. “He said no, we're going to pay the $100k,” Clark testified. He also said he recalled Sullivan and Flynn “saying they needed to discuss the FTC offline.”
By Nov. 15, Clark said he’d begun drafting a nondisclosure agreement for the hackers to sign as part of their inclusion in the bug bounty program.
His first draft included this provision: "You promise that you did not take or store any data obtained through your research or information about the vulnerabilities and that you have permanently deleted or destroyed all data and information related to the vulnerabilities in a forensically sound manner.”
Clark said he sent a draft Google doc to Sullivan, along with Henley and Rob Fletcher, another engineer on the team.
But at some point during the back and forth, the language of the “promises” provision changed. The word “obtained” was removed. The phrase “permanently deleted or destroyed all data" had also been crossed out. It now read, “You promise that you did not take or store any data during or through your research or information about the vulnerabilities and you have delivered to us or destroyed all analyses about the data vulnerabilities in a forensically sound manner.”
Clark said Sullivan had made the changes.
“Was that an accurate description of what the hackers had done?” Dawson asked.
“No,” Clark answered, adding “the x'ing out of ‘obtained’ was where it changed from an accurate statement to an inaccurate statement.”
He said he brought his concerns about the inaccuracy to Sullivan.
“What was his response?” Dawson asked.
“That it would stay,” Clark said.
When Kalanick left the company in 2017 under a cloud of scandal, Dara Khosrowshahi took the helm as CEO and brought in a team from the law firm Cutler Pickering Hale and Dorr to conduct an internal probe. Clark admitted Wednesday that he lied in a September 2017 interview with attorney Randall Lee when he said, “the possible exposure was broad for the incident but the only access was to an account of a member of the response team.”
“I was minimizing it. I was trying to protect the team. I had previously been interviewed by Wilmer Hale on other matters and I felt they were gunning for the team," Clark said, describing his attitude toward Lee as “hostile and evasive.”
“I felt he was after heads on sticks,” Clark testified.
Sullivan and Clark were both fired from Uber on the same day that November. “Joe told me this was all struggles at the board level to get rid of anybody seen as loyal to Travis,” Clark said of their conversation. “He said he was seen as loyal to Travis, that I was a nobody but that I was caught up in the shrapnel of the firing.”
Clark said he suspected the firing actually had to do with their response to the breach. “I asked, ‘Wasn't Salle and all of A-Team involved?' He said we had ‘different recollections.’”
On cross-examination, Sullivan’s defense attorney David Angeli showed Clark a transcript of his testimony before a grand jury in which he said he didn’t believe he asked Sullivan that question about the A-Team.
Angeli also emphasized Clark’s deal with the U.S. government to avoid prosecution in exchange for his testimony. Clark was sent a grand jury subpoena in December 2019. “You thought they were gunning for you too,” Angeli pressed. “Your lawyer told Dawson that you would talk to them only if you were able to get protection.”
Clark acknowledged he only agreed to talk in exchange for immunity.
Whether Sullivan or Clark actually made the changes to the nondisclosure agreement remains murky, though Angeli noted that Dawson, the prosecutor, “made clear that you wouldn’t get that immunity deal until that issue was cleared up.”
Clark was insistent on the stand. “In my mind it was clear as day that Joe input those changes,” he said.
A former top in-house attorney for Uber took the stand Wednesday in the criminal obstruction trial of ex-security chief Joseph Sullivan, testifying that his boss changed the language in a nondisclosure agreement with two hackers to cover up a serious data breach.
MARIA DINZEO / September 14, 2022
An Uber rider launches the app on a cellphone. (Pixabay image via Courthouse News)
SAN FRANCISCO (CN) — A onetime attorney for Uber who was fired for his role in a suspected coverup of a major 2016 data breach took the stand in the criminal criminal obstruction trial of his former boss on Wednesday, testifying that ex-security chief Joe Sullivan was responsible for changes to a nondisclosure agreement with two hackers that made the attack seem like a white hat vulnerability report.
Craig Clark was given immunity in exchange for testifying against Sullivan, who stands accused of concealing the breach from authorities and obstructing an investigation by the Federal Trade Commission into Uber’s security practices.
The 2016 hack that exposed the personal information of 57 million Uber users could not have come at a worse time for the company as it was already in the throes of an FTC probe stemming from a similar breach in 2014.
Under questioning by Assistant U.S. Attorney Andrew Dawson, Clark said he recalled Sullivan asking how the incident could be funneled through Uber’s bug bounty program where “researchers” are paid to find and report security flaws.
“I remember Joe asking or saying how can we fit this into bug bounty,” Clark said on the stand.
Did you take that as a directive to fit this into bug bounty?” Dawson asked, to which Clark answered “Yes.”
Clark testified that if the hack was classified as a bug bounty, the company would not be obligated to report it as a data breach.
“Was it your understanding if Mr. Sullivan was asking for legal advice or giving a directive?” Dawson asked.
“I took it as both,” Clark said. “It was — we need to fit this into bug bounty, how are we going to do it.”
Clark said this conversation happened after he found out that 600,000 driver’s license numbers had been exposed. When asked about his reaction to this knowledge, Clark said, “it was a big sigh and maybe an expletive that we were in reporting land. Once we knew we had drive;rs license numbers pretty much everybody knew the implications of that.”
But Clark said he got right to work figuring out a way to turn the breach into a bounty. After a couple of hours, he’d come up with a theory — Uber would treat the two hackers as employees or agents of the company. Of course, it would have to be post-dated. Also, “We had to get the data back, know who they were, make sure the information had not been disseminated,” Clark said. “We needed to have a relationship such as they could be referred to as agents.”
It was admittedly an aggressive plan, but Clark considered himself an aggressive lawyer. He came to the field at a later stage in life, having worked previously as a welder and a lineman for PG&E. But he graduated at the top of his class at UC Hastings Law School before joining the firm White & Case, where he advised tech companies on privacy issues. Then came a stint at Facebook, where he met Sullivan. “He was the golden boy of security. He was well known, very engaged and well respected in the community,” Clark said of his former mentor.
Clark said he so admired and respected Sullivan that when he departed Facebook and joined Uber, Clark wanted to go with him.
"I emailed Joe soon after he left and said, "Hey, I want to come too,” Clark said.
Several other Facebook employees jumped ship and joined them, including information security officer John “Four” Flynn, product security engineer Collin Greene and Mat Henley, who became Uber’s head of “threat ops.”
ADVERTISEMENT
Clark said so many people left Facebook for Uber that they became known was “Fubers.”
The whole team banded together to address the 2016 breach, but Clark said Sullivan’s level of involvement was unusually heavy. “He was fully engaged,” he said.
Clark testified that Sullivan stressed a need for strict secrecy to the response team, and that he would be communicating directly to the C-suite executives, known internally as the “A-Team.” This group included CEO Travis Kalanick, and General Counsel Salle Yoo. “From my perspective, this was all tightly controlled and the information was going up to A-Team who was making decisions so we were covered,” Clark said.
When Clark told Sullivan his theory, Sullivan replied that the A-Team had given the green light to treat the breach as a bug bounty. Clark proposed trying to negotiate down the hackers’ demand for $100,000, but Sullivan demurred. “He said no, we're going to pay the $100k,” Clark testified. He also said he recalled Sullivan and Flynn “saying they needed to discuss the FTC offline.”
By Nov. 15, Clark said he’d begun drafting a nondisclosure agreement for the hackers to sign as part of their inclusion in the bug bounty program.
His first draft included this provision: "You promise that you did not take or store any data obtained through your research or information about the vulnerabilities and that you have permanently deleted or destroyed all data and information related to the vulnerabilities in a forensically sound manner.”
Clark said he sent a draft Google doc to Sullivan, along with Henley and Rob Fletcher, another engineer on the team.
But at some point during the back and forth, the language of the “promises” provision changed. The word “obtained” was removed. The phrase “permanently deleted or destroyed all data" had also been crossed out. It now read, “You promise that you did not take or store any data during or through your research or information about the vulnerabilities and you have delivered to us or destroyed all analyses about the data vulnerabilities in a forensically sound manner.”
Clark said Sullivan had made the changes.
“Was that an accurate description of what the hackers had done?” Dawson asked.
“No,” Clark answered, adding “the x'ing out of ‘obtained’ was where it changed from an accurate statement to an inaccurate statement.”
He said he brought his concerns about the inaccuracy to Sullivan.
“What was his response?” Dawson asked.
“That it would stay,” Clark said.
When Kalanick left the company in 2017 under a cloud of scandal, Dara Khosrowshahi took the helm as CEO and brought in a team from the law firm Cutler Pickering Hale and Dorr to conduct an internal probe. Clark admitted Wednesday that he lied in a September 2017 interview with attorney Randall Lee when he said, “the possible exposure was broad for the incident but the only access was to an account of a member of the response team.”
“I was minimizing it. I was trying to protect the team. I had previously been interviewed by Wilmer Hale on other matters and I felt they were gunning for the team," Clark said, describing his attitude toward Lee as “hostile and evasive.”
“I felt he was after heads on sticks,” Clark testified.
Sullivan and Clark were both fired from Uber on the same day that November. “Joe told me this was all struggles at the board level to get rid of anybody seen as loyal to Travis,” Clark said of their conversation. “He said he was seen as loyal to Travis, that I was a nobody but that I was caught up in the shrapnel of the firing.”
Clark said he suspected the firing actually had to do with their response to the breach. “I asked, ‘Wasn't Salle and all of A-Team involved?' He said we had ‘different recollections.’”
On cross-examination, Sullivan’s defense attorney David Angeli showed Clark a transcript of his testimony before a grand jury in which he said he didn’t believe he asked Sullivan that question about the A-Team.
Angeli also emphasized Clark’s deal with the U.S. government to avoid prosecution in exchange for his testimony. Clark was sent a grand jury subpoena in December 2019. “You thought they were gunning for you too,” Angeli pressed. “Your lawyer told Dawson that you would talk to them only if you were able to get protection.”
Clark acknowledged he only agreed to talk in exchange for immunity.
Whether Sullivan or Clark actually made the changes to the nondisclosure agreement remains murky, though Angeli noted that Dawson, the prosecutor, “made clear that you wouldn’t get that immunity deal until that issue was cleared up.”
Clark was insistent on the stand. “In my mind it was clear as day that Joe input those changes,” he said.