Former Uber security chief convicted of covering up data breaches
SAN FRANCISCO (AP) — Uber’s former chief security officer was sentenced to probation Thursday for attempting to cover up a 2016 data breach that allowed hackers to access tens of millions of customer data from the ride-hailing service.
Joseph Sullivan was sentenced to three years’ probation and ordered to pay a $50,000 fine, the US law firm announced.
Sullivan, 54, of Palo Alto was convicted by a federal jury in San Francisco last October for obstructing justice and concealing knowledge that a federal felony had been committed.
It was believed to be the first criminal prosecution of a corporate executive for a data breach.
Sullivan was hired as Uber’s Chief Security Officer in 2015. In November 2016, Sullivan was emailed by hackers, and associates quickly confirmed they had stolen data from about 57 million users as well as 600,000 driver’s license numbers, prosecutors said.
After Sullivan learned of the breach, he began a plan to hide it from the public and the Federal Trade Commission, which had been investigating a smaller hack from 2014, authorities said.
According to the US law firm, Sullivan told his subordinates that “the narrative outside the security group would be that ‘this investigation doesn’t exist’,” and arranged to pay the hackers $100,000 in bitcoin in exchange for signing non-disclosure agreements. promises not to disclose the hack. He also never reported the breach to Uber attorneys involved in the FTC’s investigation, prosecutors said.
Uber’s new management began investigating the breach in the fall of 2017. Despite Sullivan lying to the new CEO and others, the truth came out and the breach was made public, prosecutors said.
Sullivan was fired along with Craig Clark, an Uber attorney he told about the breach. Clark was granted immunity by prosecutors and testified against Sullivan.
Prosecutors had recommended a 15-month sentence in federal prison for Sullivan, who submitted more than 100 statements of support from friends, family and colleagues.
In an April sentencing memo, prosecutors said Sullivan is “a rich, powerful man” with a deep network of family and friends.
“There cannot be two different justice systems, one for the privileged and one for the rest,” the memo argued. “Such a perception would seriously damage public respect for the law.”
His lawyers argued that Sullivan has already “suffered and will continue to suffer significant consequences because of this case.”
No other Uber executives have been charged in the case.
The hackers pleaded guilty to computer fraud charges in 2019 and are awaiting sentencing.