Uber was hacked last year, the company disclosed yesterday. Two hackers stole the contact information for 57 million people and the driverâs license numbers for 600,000 drivers. In the hierarchy of data value, this stuff is not high up on the list. And the breadth of the hack also pales in comparison to other recent breaches at Yahoo and Equifax.
But itâs what happened after the hack that is drawing condemnation. Uber did not report the breach to regulators, as new CEO Dara Khosrowshahi now acknowledges they should have. And then they paid $100,000 to the hackers to keep quiet. And then they tried to make it seem as if the payment was a âbug bountyâ paid as part of their normal security testing operations, The New York Times reported. The hackers were even asked to sign non-disclosure agreements.
Itâs pretty ugly.
While it is widely acknowledged that companies (and civic entities) pay ransoms to hackers, it is considered poor form. Itâs also poor formâas well as possibly illegalânot to notify victims of data breaches. And itâs also poor form to essentially fake a bug bounty.
In one version of this narrative, this can all be laid at the feet of Travis Kalanick, the deposed ruler of Uber who retains a board seat himself and a few other seats stuffed with his handpicked members.
But the man who lost his job over the hack is Joe Sullivan, who was the companyâs Chief Security Officer. In October, Bloomberg reported that Sullivan âruns a unit where Uber devised some of the most controversial weapons in its arsenal. Uberâs own board is now looking at Sullivanâs team, with the help of an outside law firm.â
In fact, it would not be surprising if that probe led to this disclosure.
From the start of Uberâs troubles, many in tech have tried to isolate the company from the herd. They did not want Uberâs culture to reflect on the tech industry more broadly.Â Â
But Sullivan was not a Kalanick stalwart. He only arrived at Uber in April of 2015. He began his tech career with 4 years at eBay, went to PayPal for 2.5 years, and then spent 7 years at Facebook before being poached by Uber. Bloombergâs reporting indicates that Sullivanâs role from nearly the moment he arrived at Uber was as âthe keeper of some of Uberâs darkest secrets.â
Some public commentators seem to think Uberâs response to this data breach is abhorrent and unusual. But, then how could a guy so deeply integrated into several major Silicon Valley companies have pushed it forward?
Doesnât it make sense to ask what attitudes and procedures Sullivan brought over from Facebook (and eBay and PayPal)?
This is the man who was responsible for security at the company that has amassed more data about people and their relationships and interests than any other in history. Either Uber corrupts all on contact or the integrity problems reach deeper into tech than the industry is willing to admit.