Former Uber Chief Security Officer Joe Sullivan has been sentenced to three years probation and 200 hours of community service for his part in concealing and impeding a 2016 hack from authorities.
Last October, a jury found Sullivan guilty of obstructing an ongoing FTC investigation into Uber’s security practices and concealing a data breach that affected 50 million riders and drivers in 2016. Uber paid the hackers $100,000 to keep the assault secret, and Sullivan and his team channeled the money through the company’s bug bounty program, which is typically used for reporting defects by good-faith security researchers.
The hack was not made public until 2017, when Dara Khosrowshahi took over as CEO. He dismissed Sullivan, claiming that concealing the breach was “the wrong decision.” In 2018, Sullivan was hired as Cloudflare’s Chief Security Officer, but he resigned in July 2022 to prepare for his trial.
Sullivan’s team advocated for probation, and before the sentence, Sullivan claimed that he had learnt his mistake and should have fought for transparency. Orrick emphasized that CISOs who express their concern of jail time if Sullivan is imprisoned do not fully comprehend the circumstances of the case.
The sources for this piece include an article in Axios.