May 4, 2023 - Technology

Ex-Uber security chief gets probation for concealing 2016 data breach

Uber headquarters in San Francisco, California in April. Photo: David Paul Morris/Bloomberg via Getty Images.

A judge sentenced Joe Sullivan, the former chief security officer at Uber, to three years' probation and 200 hours of community service on Thursday for covering up a 2016 cyberattack from authorities and obstructing a federal investigation.

Why it matters: Sullivan's case is likely the first time a security executive has faced criminal charges for mishandling a data breach, and the response to Sullivan's case has split the cybersecurity community.

Catch up quick: In October, a jury found Sullivan guilty of obstructing an active FTC investigation into Uber's security practices and concealing a 2016 data breach that affected 50 million riders and drivers.

  • Uber paid the hackers $100,000 to not release any stolen data and keep the attack quiet. Sullivan and his team routed the payment through the company's bug bounty program, which good-faith security researchers usually use to report flaws.
  • The hack wasn't publicly disclosed until 2017, shortly after Dara Khosrowshahi stepped into the CEO role.
  • Khosrowshahi fired Sullivan in 2017, telling the jury last fall that he thought the decision to conceal the breach was "the wrong decision."
  • Sullivan then joined Cloudflare as its chief security officer in 2018, and he stayed there until July 2022 when he stepped down to prepare for his trial.

What they're saying: "If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison," Judge William Orrick said during the sentencing on Thursday.

  • "When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off," Orrick added.

Details: Sullivan's team pushed for probation in a letter to the court ahead of Thursday's sentencing case.

  • "I should have fought for transparency, and in every situation I've been in since, I've made sure of that," Sullivan said on Thursday. "I learned that lesson."

The intrigue: Orrick said he received 186 letters from Sullivan's friends, family and industry peers ahead of the sentencing about the case.

  • One of those letters in support of Sullivan's character was from former Uber CEO Travis Kalanick, which perplexed the judge overseeing the case during sentencing considering Kalanick and Uber both did not participate in the trial.
  • Some of those letters highlighted that Sullivan wasn't alone in making key decisions that led to the criminal acts, while others noted that criminal actions should lead to prison time.
  • "I don't usually get a courtroom full of people, I don't usually get 186 letters and long videos or all those other things that I went through," Orrick said.
  • Orrick noted among those letters were ones from CISOs sharing that they're afraid of jail time themselves if Sullivan goes to prison. "I'm not sure that they understand what the facts are," he said.
Go deeper