The Future

Uber’s disastrous head of security will probably get another awesome job soon

Joe Sullivan paid off hackers to cover up a data breach rather than disclose it to regulators and the public. What else has he been up to?

The Future

Joe Sullivan

The head of security at Uber was fired for attempting to cover up a data breach by paying off the hackers.
The news came out because the board had ordered an investigation into Sullivan’s secretive division.
Before he worked at Uber, Sullivan was in charge of security at Facebook. He also ran security at Ebay, consulted on security for Airbnb, and was on Obama’s cybersecurity council.
The Future

Uber’s disastrous head of security will probably get another awesome job soon

Joe Sullivan paid off hackers to cover up a data breach rather than disclose it to regulators and the public. What else has he been up to?

I met Joe Sullivan in 2013 at Def Con, the hacker convention in Las Vegas, when he was the boring, neatly-dressed head of security for Facebook who believed that working while listening to music on headphones is a “quirky” habit. Sullivan was responsible for introducing the company’s generous bug bounty program, in which Facebook pays security researchers to identify flaws in its code that could expose it or its users to attackers. The bug bounty program needed a minimum payout, Sullivan reasoned, so people could feel that it was worth their time, but he didn’t want to put an upper limit on it. “To me one of the interesting things was figuring out how much do you pay,” he told me at the time. “It's one of the fun things to debate inside the company between the engineers.”

I found myself thinking about this conversation last week after Bloomberg and others reported that Sullivan, who left Facebook for Uber in 2015, had paid hackers $100,000 in October 2016 to delete stolen data for 57 million Uber drivers and riders. Sullivan then tracked down the two hackers and made them sign disclosure agreements, with the approval of former CEO Travis Kalanick, The New York Times reported. “To further conceal the damage, Uber executives also made it appear as if the payout had been part of a ‘bug bounty,’” the Times wrote.

“I know as a consumer, I want to know how my information is used and I want to know who has access to it,” Sullivan told me in 2013. This would presumably include wanting to know when hackers discover 57 million names, email addresses, phone numbers, and about 600,000 driver’s licenses, but maybe Sullivan’s opinions changed.

“I know as a consumer, I want to know how my information is used and I want to know who has access to it.”
Sullivan in 2013

Uber fired Sullivan and now says his actions violated disclosure laws. After the news came out, some security experts defended Sullivan, saying that $100,000 was a low price to pay for protecting 57 million users (just how Sullivan was able to guarantee that the hackers didn’t keep some copy of the data is unclear). Clearly Sullivan and Kalanick agreed $100,000 was worth it, if only to save the company some bad press — Uber was in the middle of negotiating with the Federal Trade Commission (FTC) for failing to disclose an unrelated data breach in 2014. This was just one of Sullivan’s many ethical breaches at the transportation company, however.

  • Uber has a documented habit of surveilling people it deems to be a potential threat, including employees, competitors, and its opponents in court. Sullivan was the one to order underlings to dig up dirt on the conservationist Stephen Meyer, who sued Uber for price fixing.
  • Sullivan operated autonomously and secretly. Sources also told Bloomberg that Sullivan had made himself more nimble by becoming Uber’s deputy general counsel, which let him “assert attorney-client privilege on his communications with colleagues and make his e-mails more difficult for a prosecutor to subpoena.” Bloomberg wrote in October that “Sullivan’s work is largely a mystery to the company’s board.”
  • Sullivan was in charge of a team formerly known as Competitive Intelligence or COIN, according to Bloomberg, which oversaw projects like “Hell,” which spied on Lyft drivers. Sullivan shut down Hell but kept other programs like it, and COIN was renamed to “Marketplace Analytics” and then again to “Marketplace Integrity.” The 57 million-person hack came to light because Uber’s board hired a law firm to investigate Sullivan’s teams, including COIN.
  • On Tuesday, a former Uber employee alleged that Sullivan encouraged his teams to use ephemeral messaging apps in order to “make sure we didn’t create a paper trail that would come back to haunt the company in any potential criminal or civil litigation.”

The scariest thing about Sullivan isn’t what he did at Uber, however, but what he might have done before that — and what forces allowed the rise of someone so unscrupulous. Bloomberg called him “a quiet fixture of Silicon Valley” because Sullivan ran security at multiple large technology companies in the last decade. He started his career as a federal prosecutor focused on tech cases during the internet boom. He then became head of trust and safety at Ebay, where he oversaw PayPal and Skype. In 2003 he came under fire after he bragged about Ebay’s deep data on its users and “flexible” privacy policy to attendees at a law enforcement conference in a recording that was leaked to Haaretz, but he largely stayed out of the spotlight. At Facebook, he earned a reputation for being aggressive to the point of vigilantism. “As a prosecutor, you feel like you’re always on the side of right,” he told Forbes in 2012. His team would track down hackers themselves when they deemed law enforcement was being too slow, and he told Forbes that when Facebook detected teen mischief on the platform, it would call their mothers rather than turn them into the authorities. In 2013 he was tapped to be an inaugural member of Airbnb’s Trust & Safety Board. In 2016, he was named to President Obama’s 12-member cybersecurity council which then produced a 100-page report. When Sullivan was hired by Facebook, Wired called it a “major talent grab.”

Uber is now the target of at least three potential class action lawsuits, at least five state attorney general investigations, and an inquiry by the FTC because of Sullivan’s decision to pay off hackers and cover up his mistakes. And with a history like his, it’s possible that there are other ethical violations that we don’t even know about.