Uber’s former chief security chief has avoided jail time in a case linked to the coverup of a 2016 hack. The judge found his previous work in data security outweighed the harm he did by hiding the data breach.
In October, Joe Sullivan was convicted on two counts for covering up the 2016 theft of company data on 57 million Uber customers and drivers, becoming the first corporate leader to be found guilty of a hack committed by outsiders.
The first count of the two counts was related to obstructing Federal Trade Commission (FTC) proceedings as Uber was being investigated for a previous 2014 hack already. The second, misprision of felony, was due to Sullivan’s concealment of the hack. He faced a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge. But the judge opted for no jail time at all.
US District Judge William Orrick in San Francisco sentenced Joe Sullivan to three years of probation on May 4, noting his significant past work in protecting people from the sort of crime he later concealed, and the fact that Sullivan’s steps, however dubious, had succeeded in keeping the stolen data from being exposed. In addition to probation, Sullivan also has to clock 200 hours of community service.
Quotable: Security execs shouldn’t expect leniency in the future
“If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison. When you go out and talk to your friends, to your CISOs [chief information security officers], you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”—Judge William Orrick during Sullivan’s sentencing on May 4.
Sullivan’s trial divided the cybersecurity community
Even before the case, Sullivan was a well known name in the cybersecurity industry. He worked alongside federal prosecutors on cybercrime cases in the late 1990s before jumping ship to the corporate security world in 2002, taking on high-profile roles as chief of security at Facebook first, and then Uber. Even after his dismissal from Uber, he bagged a job as Cloudfare’s top security guy the following year. (He stepped down from the role in July 2022 to prepare for his trial.)
The case had the cybersecurity community divided. Sympathetic supporters said Sullivan was being “unfairly singled-out” and “scapegoated”. More than 180 letters were filed with the judge asking that Sullivan be spared jail time to continue helping defenders and victims of security failures. One of the letters was signed by 40 current or former security execs.
Paying off hackers has become commonplace at companies hit by ransomware. Other CISOs worried about having to face legal action. Even if they weren’t convicted, there’d be the mental stress and mounting legal fees to combat.
Plus, industry leaders worried jail time would have a chilling effect on people stepping up for the role of security officer in the future. After all, several other people, including Uber’s then-CEO Travis Kalanick, were aware of what Sullivan was up to. During the sentencing, Orrick said Kalanick was “at least as culpable” as Sullivan, and it was surprising that he had not been charged.
However, dissenters sided with doing the right, lawful thing, and accused those coming to Sullivan’s defense of “tribalism.” During his sentencing, Sullivan admitted to being “a bad role model.”
A brief timeline of Sullivan’s role in Uber’s data breach coverup
April 2015: Uber hires Sullivan to be chief security officer.
May 2015: The FTC serves a detailed Civil Investigative Demand on Uber, which demands both extensive information about any other instances of unauthorized access to user personal information, and information regarding Uber’s broader data security program and practices.
November 2016: Sullivan testifies under oath, at length, to the FTC regarding Uber’s data security practices on Nov. 4. Ten days later, Sullivan learns that Uber data had been breached again when hackers reached out to him directly, via email, revealing the stolen user data and demanding a large ransom payment from Uber in exchange for their deletion of that data. Sullivan proceeded to hide the matter.
December 2016: Uber pays the hackers $100,000 in bitcoin in exchange for signing non-disclosure agreements agreeing to not to reveal the hack to anyone, and also signing off on the false representation that the hackers did not take or store any data in their hack.
January 2017: Uber identifies the two hackers and requires them to execute new copies of the non-disclosure agreements in their true names, emphasizing that they were not allowed to talk about the hack to anyone else.
August 2017: Uber’s new management comes in and starts investigating 2016 data breach. Sullivan lies to new CEO Dara Khosrowshahi and outside lawyers about the hack, trying to pass it off as part of the corporate bug bounty program, which companies use to pay white-hat hackers who help find holes in their systems.
November 2017: Uber’s new management ultimately finds out the truth and discloses the breach publicly, and to the FTC. Sullivan is fired.
October 2019: The two hackers identified by Uber plead guilty to computer fraud conspiracy charges.
October 2020: Sullivan sues Uber to get the company to cover his legal fees.
July 2022: Uber admits to the 2016 coverup and enters a non-prosecution agreement with federal prosecutors to resolve a criminal probe into the significant data breach.
October 2022: A federal jury convicts Sullivan for obstructing justice and concealing felony in connection with his attempted cover-up of a 2016 hack of Uber. “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” US Attorney Stephanie M. Hinds said at the time.
May 2023: Sullivan is sentenced.
Related stories
🤏 Uber paid hackers $100,000 to keep quiet about stealing your info from Uber
🔓 Developers keep leaving secret keys to corporate data out in the open for anyone to take