A recent Law 360 story by Rose Krebs, “Uber’s Ex-Security Chief Seeks Legal Fees For Breach Suit,” reports that Uber's ex-head of security filed suit in Delaware Chancery Court seeking to have the company pay his legal fees in connection with charges he faces for allegedly trying to cover up a cyberattack that exposed the data of 57 million riders and drivers. Joseph Sullivan, who is also a former cybercrime prosecutor at the U.S. Department of Justice, says Uber Technologies Inc. should cover his legal fees per a "mandatory indemnification and advancement" provision of the ride-hailing company's bylaws.
"Uber granted its 'officers' mandatory advancement rights and yet is resisting those rights for its former chief security officer, Mr. Sullivan, who has been sued by the federal government by reason of the fact of his service to the company as an officer," the suit asserted. In August, Sullivan was charged in California federal court with obstructing justice and concealing a felony for allegedly misleading the Federal Trade Commission about the 2016 incident, which included a $100,000 payoff he allegedly arranged from Uber to two hackers in exchange for keeping the episode quiet.
Uber initially referred to the payout internally as part of its "bug bounty" program, which incentivizes cybersecurity experts to report security flaws to the company. But the $100,000 sum was 10 times the program's award cap at the time, and an Uber executive later admitted to Congress that the payoff was akin to extortion. The payment and cover-up came at the same time as Uber was negotiating a settlement with the FTC over a similar 2014 incident in which hackers pilfered user data from one of Uber's Amazon cloud storage sites, according to another criminal complaint.
Sullivan, who was "visibly shaken" after hearing of the new breach, concealed the episode from both the FTC and Uber's attorneys who were negotiating with federal regulators, the DOJ asserts. Sullivan told a co-worker at the time "that he could not believe they had let another breach happen and that the team had to make sure word of the breach did not get out," a witness told investigators, according to the California suit.
Sullivan is also accused of misleading Uber's new management team that took over in 2017, editing a summary of the incident prepared by his team to remove key details including that the hackers had stolen user data, court filings said. The company's CEO, Dara Khosrowshahi, announced the data breach in November 2017, saying that Sullivan had been fired for not disclosing the incident sooner. Since allegations in the California suit relate to his alleged conduct in connection with the 2016 breach and during his time as an Uber officer, Sullivan contends he is entitled to have the company advance his legal fees.