Former Uber Security Chief Avoids Prison Time For Covering Up Data Breach
Photo: Spencer Platt (Getty Images)
Uber’s former security chief Joe Sullivan will not be going to prison for covering up a data breach that affected over 50 million Uber drivers and users of the rideshare service. Last year, a jury found Sullivan guilty of obstructing an active FTC investigation, as well as finding him guilty of having concealed the 2016 Uber data breach, but a judge has sentenced Sullivan to three years’ probation and 200 hours of community service, as Axios reports.
Racing Tech | The Most Powerful Engines in Racing Can Be Found in the NHRA
In case you missed it:
While Sullivan will not be going to prison for covering up the data breach, Axios notes that Sullivan’s conviction and punishment are likely the first time a chief information security officer (CISO) has faced criminal charges for “mishandling a data breach.” But the term “mishandled” is somewhat of an understatement, which makes the subsequent probation seem a bit mild.
Sullivan not only concealed the data breach, but also handed over $100,000 to the hackers in order to keep the breach quiet. Sullivan and his team funneled the payment through Uber’s bug bounty program.
The overall case is something of a landmark that could establish a precedent for cybersecurity in the U.S. going forward. That’s likely why the judge who sentenced Sullivan received 186 letters in defense of the former Uber security chief, including a letter from former Uber CEO Travis Kalanick. Some of the other letters were from CISOs who were afraid that Sullivan doing prison time could mean jail time for them, too.
The Uber data breach occurred in 2016 under Kalanick’s tenure, but it wasn’t publicly disclosed until the following year, in 2017. That same year, Kalanick resigned and Dara Khosrowshahi became the next Uber CEO. Khosrowshahi fired Sullivan in 2017, and would later testify that he thought covering up the data breach was “the wrong decision.”
Sullivan still went on to lead the cybersecurity team at Cloudflare from 2018 through 2022, only stepping down as — I can’t emphasize this enough — chief security officer to prepare for trial on a cybersecurity crime. Prosecutors asked the court to sentence Sullivan to 15 months of prison time, but Sullivan got 3 years’ probation and 200 hours of community service. Who knows, maybe Sullivan will teach cybersecurity or ethics classes as part of his court-mandated service.
Photo: Spencer Platt (Getty Images)