Connect with us

Hi, what are you looking for?


Data Breaches

Former Uber CSO Joe Sullivan Avoids Prison Time Over Data Breach Cover-Up

Former Uber security chief Joe Sullivan was sentenced to probation and community service for covering up the data breach suffered by the ride-sharing giant in 2016.

Joe Sullivan Sentencing

Former Uber security chief Joe Sullivan was sentenced on Thursday to three years of probation for covering up a data breach suffered by the ride-sharing giant in 2016.

Sullivan was charged in August 2020 and found guilty by a jury in October 2022. Before the sentencing, prosecutors were hoping for 15 months in prison, while the defense wanted probation, which was the ultimate outcome, allowing the former chief security officer (CSO) to avoid prison time. In addition to probation, Sullivan must perform 200 hours of community service as part of the sentencing.

Sullivan, who worked at Uber between April 2015 and November 2017, was accused of obstructing an FTC investigation into a data breach suffered by the company in 2014. While that older incident was being investigated, Sullivan learned of another, larger breach, but decided not to disclose it.

That larger incident occurred in 2016 and it involved hackers stealing the information of more than 50 million Uber users and drivers. 

The attackers extorted Uber and were paid $100,000 through the company’s bug bounty program. They were allegedly instructed by Sullivan to sign non-disclosure agreements falsely claiming that no data had been stolen.

The full impact of the incident came to light roughly one year later, after Uber appointed a new CEO. Sullivan was terminated after it was revealed that he had hidden the full extent of the hack from Uber’s new management.

The hackers, two individuals from Canada and Florida, pleaded guilty in 2019. They seem to have been instrumental in the prosecution’s case against the former CSO.

Advertisement. Scroll to continue reading.

Sullivan is a former federal prosecutor who led security programs at several Silicon Valley companies, including eBay, PayPal and Facebook before his stint at Uber.

The case is being closely watched by many CISOs and other cybersecurity leaders who are concerned about the potential liability for their decisions and disclosures related to breaches and security incidents.

“The international CISO community has been watching this one very closely, and hypothesising about the repercussions for some time,” Neil Thacker, CISO, EMEA, Netskope told SecurityWeek previously. “There is very little doubt among my peers that this case was about a serious misjudgment on the part of a CISO, but hindsight is a wonderful thing and we will probably never fully understand the complex factors and influences that led to his decisions. One of the biggest concerns within the community is an acknowledgment of the possible pressure that may have been exerted from other internal authorities upon the CISO, which led him to make the decisions.”

Related: Industry Reactions to Conviction of Former Uber CSO Joe Sullivan

Related: Uber Data Leaked Following Breach at Third-Party Vendor

Related: Uber Settles With Federal Investigators Over 2016 Data Breach Coverup

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.


Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.