A lawsuit filed Thursday in the U.S. District Court in San Francisco alleges that Joe Sullivan, who led Uber’s security team for more than two years until November 2017, “was engaged in a scheme to restrain and conceal” both the hack and the amount of data that was exposed by the US Federal Trade Commission.
Sullivan, a former assistant U.S. lawyer, joined Uber on Facebook in 2015, where he served as chief security officer for more than five years after stints at eBay and PayPal. He is currently the chief security officer of Internet infrastructure company CloudFlare.
Bradford Williams, a Sullivan spokeswoman, said in a statement that the charges – which include obstruction of justice – were merit-free.
“This case focuses on an investigation into data security at Uber by a large, cross-functional team consisting of some of the most important security experts in the world, including Mr Sullivan,” Williams said in the statement. “If not for the efforts of Mr Sullivan and his team, it is likely that the persons responsible for this incident were never identified.”
Williams added: “From the outset, Mr Sullivan and his team worked closely with legal, communications and other relevant teams at Uber, in line with the company’s written policy. That policy made it clear that Uber’s legal department – and not Mr Sullivan or his group – was responsible for deciding whether, and to whom, the case should be disclosed. “
“Our decision in 2017 to disclose the incident was not only the right thing to do, it illustrates the principles by which we conduct our business today: transparency, integrity and accountability,” Uber said in a statement.
In September 2018, Uber agreed to pay $ 148 million to conduct an investigation into the 2016 data breach that the company was accused of intentionally concealing. The settlement, with attorneys general for all 50 states and Washington, DC, was the largest ever multi-state settlement on data, according to the New York Attorney General at the time.
As part of the settlement, Uber agreed to develop and implement a business integrity program for employees to report unethical behavior. It has also agreed to adopt model data breaches and data security practices notifications, and to hire an independent third party to review its data security practices.
The investigation was called to look into allegations that the ride-sharing company wrote the state’s notification laws by intentionally withholding that the breach occurred.
Uber has also previously settled a case with the FTC, which investigated allegations that Uber cheated customers about this breach.
CNN’s Sara O’Brien contributed to this report.
.
