Former Uber chief security officer, Joe Sullivan, was sentenced for his involvement in covering up the theft of 50 million Uber customer data in 2016, while the company was under investigation by the Federal Trade Commission for a previous breach.
Sullivan was convicted of hiding a felony and obstruction of justice, making him the first corporate executive to be found guilty of crimes related to a data breach by outsiders.
Despite prosecutors seeking 15 months of imprisonment, U.S. District Judge William Orrick sentenced Sullivan to three years of probation, taking into account his significant past work in protecting people and his successful efforts in keeping the stolen data from being exposed.
Judge Orrick also questioned why former Uber CEO Travis Kalanick was not charged, expressing his belief that Kalanick was equally responsible for the serious offense.
Sullivan’s conviction has generated controversy within the security industry, with many professionals seeing him as an industry leader who had worked in the public interest as a top security executive at Facebook, Uber, and Cloudflare.
More than 180 letters were filed with the judge praising Sullivan and asking for him to be spared jail time to continue helping defenders and victims of security failures. Some of the letters were signed by 40 current or former chief security or chief information security officers.
While Sullivan’s supporters argue that his conviction criminalizes questionable judgment in paying off extortionists, the government contends that he prioritized his and Uber’s interests over the tens of millions of Uber users and riders who trusted their personal information to the company.
The judge’s decision to spare Sullivan from imprisonment, despite the prosecution’s recommendation, indicates the unprecedented nature of the case and the judge’s belief that Sullivan’s past work and community support weighed in his favor.
The case highlights the growing importance of cybersecurity and the potential consequences of concealing or mishandling sensitive information. It also raises questions about the accountability of corporate executives for cybersecurity incidents and the extent to which they should be held responsible.
Uber Security Breach
The sentencing of former Uber chief security officer Joe Sullivan, who was convicted of obstruction of justice and hiding a felony related to the cover-up of the 2016 theft of data on 50 million Uber customers, has sparked debate among security professionals and officials on the implications of his punishment.
Despite the controversy surrounding the verdict, Sullivan’s attorneys highlighted his contributions to cybersecurity, including the establishment of eBay’s trust and safety team and a Facebook child-safety effort.
The criminal case against Sullivan began when a hacker notified Uber of a security lapse, which ultimately led to the discovery of the data breach.
The negotiations between Uber and the hackers who stole the personal data of millions of Uber riders and drivers resulted in a payment of $100,000 to the hackers in exchange for their promise to delete the data and not disclose what they had done.
Uber saw this as an opportunity to obtain information that would lead them to the real identities of the hackers, which they believed was necessary leverage to hold the hackers to their word.
Later, the hackers were arrested and pleaded guilty to hacking charges, and one of them testified against Joe Sullivan, Uber’s former chief security officer, in his trial.
Sullivan was charged with obstruction of justice for his role in covering up the breach. At the time of the breach, Uber was under investigation by the FTC for a previous data breach that occurred before Sullivan joined the company.
After Khosrowshahi became Uber’s CEO and learned of the breach, he fired Sullivan for not telling him more, sooner. The company then assisted the U.S. attorney’s office in building a case against Sullivan, but prosecutors were unsuccessful in getting Sullivan to implicate Kalanick in the cover-up.