Uber is bringing in an enforcer of security to help quell concerns about whether the ridesharing service suitably protects the private data of its riders and drivers.
The San Francisco company hired Joe Sullivan, the top cybersecurity executive at Facebook for the past five years, it said in a blog post Thursday. He becomes Uber’s first chief security officer, reporting directly to Chief Executive Travis Kalanick.
Sullivan joins as Uber investigates a data breach that compromised the names and drivers-license numbers for 50,000 drivers last year. It’s also continuing to field inquiries from Capitol Hill on how it grants employees access to users’ sensitive location data.
Uber’s new security chief will work alongside his former colleague, Katherine Tassi, who joined the company from Facebook last fall as managing counsel of data privacy. In recent her group has implemented new privacy protocols, such as erasing user data when a user terminates their account and performing background checks on employees who have access to sensitive data.
Uber audited its data privacy practices and retained law firm Hogan Lovells last November, after comments made by one of its top executives ignited concerns that the company could tap into its data to track the whereabouts of specific riders.
Uber has said it only permits employees accessing rider or driver data if they have a “legitimate business purpose,” such as troubleshooting bugs or monitoring fraud, and that it audits that activity by data security specialists. The audit by Hogan Lovells gave a glowing review of Uber’s policies around data protection and made several recommendations which Uber has agreed to implement. Going forward, the company plans to start performing more regular reviews of its privacy program, help users understand its policies more clearly and give passengers an easier way to keep track of the star rating they are given by Uber drivers.
The car-hailing service said in February it had discovered one of its databases had been breached last year. Uber waited more than five months to notify drivers whose data was compromised, much longer than allowed by many state laws. Most state laws allow a company to delay notification if law-enforcement officials say it would impede an investigation. Uber has declined to comment on whether it worked with a law enforcement agency on the breach.
Sullivan helped bolster security at Facebook following Edward Snowden‘s revelations that the National Security Agency and its partners were monitoring overseas traffic between U.S. tech firms’ data centers.
Before Facebook, the executive spent six years on legal and safety teams at eBay and its payment subsidiary, PayPal.
“I had the good fortune to work at two amazing companies — eBay and Facebook — when they were growing rapidly,” Sullivan said in a statement. “I look forward to bringing the best practices that I’ve learned along the way to Uber and doing defining work in bridging the divide between the digital and physical worlds.”
In an emailed statement, a Facebook spokesperson thanked Sullivan for his work at the company. A replacement has not been named.
“Joe’s many contributions have made the Facebook community safer and more secure,” the Facebook spokesman said.
–Danny Yadron and Deepa Seetharaman contributed to this article.