Joseph Sullivan, former chief security officer for Uber, has been sentenced to a three-year term of probation and ordered to pay a $50,000 fine for attempting to cover up a data breach in 2016. The breach allowed hackers to access tens of millions of customer records from the ride-hailing service. Sullivan was convicted by a federal jury in San Francisco last October of obstructing justice and concealing knowledge that a federal felony had been committed.
Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, he was emailed by hackers and it was quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers.
Sullivan began a scheme to hide the data breach from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said. He told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,’ ” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack.
He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry, prosecutors said. Uber’s new management began investigating the breach in the fall of 2017. Despite Sullivan lying to the new CEO and others, the truth was uncovered, and the breach was made public, prosecutors said.
Prosecutors had recommended a sentence of 15 months in federal prison for Sullivan, but his lawyers argued that he already “has suffered, and will continue to suffer, significant consequences because of this case.” No other Uber executives were charged in the case.
The hackers pleaded guilty in 2019 to computer fraud conspiracy charges and are awaiting sentencing. The case is believed to be the first criminal prosecution of a company executive over a data breach.
Prosecutors argued that there could not be two different systems of justice, one for the privileged and another for the rest.
