By Joseph Menn and Dustin Volz
SAN FRANCISCO/WASHINGTON (Reuters) – Three senior managers in Uber Technologies Inc’s security unit resigned on Friday, an Uber spokesperson said, days after the company’s new chief executive officer disclosed a massive data breach and criticized past security practices.
Uber’s CEO, Dara Khosrowshahi, who was installed in the top job in August, disclosed the data breach last month shortly after learning of it himself, saying that “none of this should have happened.” Uber’s security practices are also under scrutiny in a high-stakes legal battle with self-driving car company Waymo, an Alphabet Inc subsidiary.
Uber last week said it fired its chief security officer, Joe Sullivan, over his role in the 2016 data breach, which compromised data belonging to 57 million customers and about 600,000 drivers. The resignations Friday came amid mounting frustration within Uber’s security team over Sullivan’s dismissal and the company’s handling of the public disclosure of the breach.
The three managers who resigned were Pooja Ashok, chief of staff for Sullivan; Prithvi Rai, a senior security engineer and the number two manager in the department; and Jeff Jones, who handled physical security, the Uber spokesperson said. Ashok and Jones will remain at the company until January to assist in transition, the spokesperson said.
A fourth individual, Uber’s head of Global Threat Operations, Mat Henley, began a three-month medical leave, said a separate source familiar with the situation. The departures include most of Sullivan’s direct reports.
None of the four immediately responded to requests for comment. Emails in connection with the departures, described by the separate source, complained of emotional and physical strain from the past year.
Sullivan in August told Reuters that his security team totaled around 500 employees.
Leadership in the unit has been in turmoil since the termination last week of Sullivan and a deputy, as well as Uber’s admission that it paid $100,000 to hackers to delete stolen data from the October 2016 breach and keep it secret, while failing to report the incident to regulators or warn customers that their phone numbers and other data had been exposed.
In the Waymo case, testimony at a pretrial hearing this week focused on claims by former employee Richard Jacobs that Uber had a special unit within its security team that tried to obtain programming code and other trade secrets from rivals.
Uber launched an investigation in response to Jacobs’ claims, which were outlined in a 37-page letter sent to Uber’s in-house attorney and the U.S. Department of Justice. Board members received a report before Thanksgiving on the findings of that investigation, run by law firm WilmerHale. The report has not been shared publicly.
Henley, who was among the Uber security managers named in Jacobs’ letter, said in court Wednesday that the unit at Uber that Jacobs had accused of acquiring rivals’ trade secrets no longer exists.
In addition to having a technical team dedicated to obtaining data from competitors, Uber also had a “human intelligence” team to spy on people and record their conversations without them knowing, according to testimony in the Waymo case.
In one instance, a security vendor hired by Uber recorded a conversation between executives of rival ride-hailing firms Didi and Grab, Nicholas Gicinto, a security manager at Uber, testified in court Wednesday.
Uber’s general counsel, Tony West, on Wednesday sent a note to employees, which was seen by Reuters, saying that human surveillance of individuals would no longer be tolerated.
West said he did not believe the activity was illegal, “but, to be crystal clear, to the extent anyone is working on any kind of competitive intelligence project that involves the surveillance of individuals, stop it now.”
(Additional reporting by Heather Somerville and Dan Levine in San Francisco; Editing by Lisa Von Ahn and Leslie Adler)