- Joe Sullivan, former Uber chief security officer, sentenced to three years’ probation and 200 hours of community service for covering up a 2016 cyberattack and obstructing a federal investigation.
- Sullivan’s case marks the first time a security executive has faced criminal charges for mishandling a data breach, causing a divide within the cybersecurity community.
- The sentencing has raised concerns among chief information security officers who fear potential jail time if they face similar circumstances in the future.
In a landmark case, Joe Sullivan, former chief security officer at Uber, was sentenced to three years’ probation and 200 hours of community service on Thursday for covering up a 2016 cyberattack and obstructing a federal investigation. This marks the first time a security executive has faced criminal charges for mishandling a data breach, causing a divide within the cybersecurity community.
Sullivan was found guilty by a jury in October of obstructing an active Federal Trade Commission (FTC) investigation into Uber’s security practices and concealing a data breach that affected 50 million riders and drivers in 2016. Uber paid the hackers $100,000 to keep the attack quiet and not release the stolen data, routing the payment through the company’s bug bounty program.
The breach was not publicly disclosed until 2017, shortly after Dara Khosrowshahi took over as CEO. Khosrowshahi fired Sullivan in 2017, stating that the decision to conceal the breach was “the wrong decision.” Sullivan subsequently joined Cloudflare as its chief security officer in 2018, where he remained until July 2022 when he stepped down to prepare for his trial.
Judge William Orrick, while delivering the sentencing, stated that if a similar case arises in the future, the defendant would be sent to prison regardless of their character. He also noted that he received 186 letters from Sullivan’s friends, family, and industry peers, including one from former Uber CEO Travis Kalanick, expressing support for Sullivan’s character. The judge acknowledged that these letters suggested that Sullivan was not solely responsible for the key decisions leading to the criminal acts.
The case has prompted concerns among other chief information security officers (CISOs) who fear potential jail time if they find themselves in a similar situation.