Former Uber CSO avoids prison for concealing data breach
Joe Sullivan, the former Uber CSO who has been convicted last year for attempting to cover up a data breach Uber suffered in 2016 and kept it hidden from the Federal Trade Commission (FTC), has been sentenced to three years of probation plus 200 hours of community service.
The conviction
Sullivan became Chief Security Officer at Uber in April 2015, and in November 2016 testified before the FTC under oath that the company had taken to keep customer data secure following a 2014 data breach.
Ten days after the testimony, he was contacted by hackers who said they breached Uber and made off with data of 57 million users and drivers. They asked for a ransom payment in exchange for deleting the data.
Ultimately, the company paid the hackers $100,000 to destroy the stolen data and not to reveal the breach to the public – and the breach was not revealed to the FTC.
After Dara Khosrowshahi succeeded Uber’s co-founder Travis Kalanick in the CEO role in June 2017, the breach and the attempted cover-up was discovered. Uber disclosed the breach, and Sullivan was fired and ultimately prosecuted.
Sullivan, who’s also a former US Federal Prosecutor, was found guilty of two charges: obstruction of proceedings of the Federal Trade Commission and misprision (concealment) of felony.
The sentencing
The prosecutors asked Judge William H. Orrick, of the U.S. District Court, Northern District of California, to impose a 15-month sentence to make a point: that all defendants are equal before the law regardless of their position and power.
But the judge took into consideration Sullivan’s previous work to protect people’s digital safety, the many letters filed by friends and members of the cybersecurity community asking for leniency in this case, as well as Sullivan’s demonstrated contrition, and came up with a sentence that doesn’t involve spending time in prison.
A takeaway from the Joe Sullivan sentencing today: the judge called-out how some letters on Joe’s behalf from the CISO community downplayed or misrepresented the situation and conduct. And he said the next CISO in Joe’s situation can expect jail time. Reflection time, folks.
— David Oxley (@oxleyio) May 4, 2023