Former Uber security chief Joe Sullivan was sentenced on Thursday to three years of probation for covering up a data breach suffered by the ride-sharing giant in 2016.
Sullivan was charged in August 2020 and found guilty by a jury in October 2022. Before the sentencing, prosecutors were hoping for 15 months in prison, while the defense wanted probation, which was the ultimate outcome, allowing the former chief security officer (CSO) to avoid prison time. In addition to probation, Sullivan must perform 200 hours of community service as part of the sentencing.
Sullivan, who worked at Uber between April 2015 and November 2017, was accused of obstructing an FTC investigation into a data breach suffered by the company in 2014. While that older incident was being investigated, Sullivan learned of another, larger breach, but decided not to disclose it.
That larger incident occurred in 2016 and it involved hackers stealing the information of more than 50 million Uber users and drivers.
The attackers extorted Uber and were paid $100,000 through the company’s bug bounty program. They were allegedly instructed by Sullivan to sign non-disclosure agreements falsely claiming that no data had been stolen.
The full impact of the incident came to light roughly one year later, after Uber appointed a new CEO. Sullivan was terminated after it was revealed that he had hidden the full extent of the hack from Uber’s new management.
The hackers, two individuals from Canada and Florida, pleaded guilty in 2019. They seem to have been instrumental in the prosecution’s case against the former CSO.
Sullivan is a former federal prosecutor who led security programs at several Silicon Valley companies, including eBay, PayPal and Facebook before his stint at Uber.
The case is being closely watched by many CISOs and other cybersecurity leaders who are concerned about the potential liability for their decisions and disclosures related to breaches and security incidents.
“The international CISO community has been watching this one very closely, and hypothesising about the repercussions for some time,” Neil Thacker, CISO, EMEA, Netskope told SecurityWeek previously. “There is very little doubt among my peers that this case was about a serious misjudgment on the part of a CISO, but hindsight is a wonderful thing and we will probably never fully understand the complex factors and influences that led to his decisions. One of the biggest concerns within the community is an acknowledgment of the possible pressure that may have been exerted from other internal authorities upon the CISO, which led him to make the decisions.”
Related: Industry Reactions to Conviction of Former Uber CSO Joe Sullivan
Related: Uber Data Leaked Following Breach at Third-Party Vendor
Related: Uber Settles With Federal Investigators Over 2016 Data Breach Coverup