Former Uber CSO Joe Sullivan avoids jail for breach cover-up
A U.S. district judge sentenced former Uber security chief Joe Sullivan to three years of probation and 200 hours of community service for his role in the 2016 breach cover-up.
Former Uber chief security officer Joe Sullivan avoided jail time for attempting to cover up a high-profile data breach in 2016.
The long-running criminal case against the former ride-share executive came to an end Thursday when U.S. District Judge William Orrick sentenced Sullivan to three years of probation and 200 hours of community service. Sullivan was charged in 2020 with obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of a felony in connection with covering up the breach, and was found guilty in October on both charges.
Prosecutors in late April recommended the judge sentence Sullivan to 15 months in prison for his crimes. They argued in court documents that the recommended sentencing was called for because it would act as a deterrent for future white-collar defendants.
The 2016 breach occurred in the wake of a separate breach in 2014, when cybercriminals accessed personal Uber customer and driver data through an AWS S3 bucket. Sullivan, who was hired by the ride-share giant in 2015, received an anonymous email from threat actors in November 2016 explaining that they had exploited a major vulnerability -- a vulnerability that involved a second AWS S3 database.
Uber, with the apparent knowledge of Sullivan and then-CEO Travis Kalanick, sent a $100,000 payment to the threat actors through its HackerOne bug bounty program and had the actors sign nondisclosure agreements regarding the incident.
Sullivan did not disclose the 2016 breach to the FTC during the end of its then-ongoing investigation of the 2014 breach. The FTC only became aware of the more recent incident when CEO Dara Khosrowshahi was briefed on the breach in mid-2017 before publicly disclosing it. Sullivan was fired shortly after, and in 2020 was charged with one count of obstruction of proceedings of the FTC and one count of misprision of a felony.
Sullivan's conviction has become a hotly debated topic in infosec circles. At RSA Conference 2023 last month, former CISA Director Chris Krebs asked Deputy Attorney General Lisa Monaco whether Sullivan's prosecution damaged trust with the private sector.
Alexander Culafi is a writer, journalist and podcaster based in Boston.