Risk & Repeat: Ex-Uber CSO Joe Sullivan sentenced

Former Uber security chief Joe Sullivan was sentenced last week to three years of probation and 200 hours of community service -- but no jail time -- for his role in covering up a 2016 data breach.

The sentencing ended a years-long case against the former ride-share executive, who in October was found guilty of one count of obstruction of proceedings of the Federal Trade Commission (FTC) and one count of misprision of a felony. Sullivan was originally charged in 2020, accused of covering up a 2016 data breach in which threat actors gained access to an AWS S3 database.

After the threat actors contacted Sullivan, Uber paid the actors a $100,000 bug bounty via the ride-share giant's HackerOne vulnerability rewards program. Sullivan and other Uber officials failed to disclose the breach to wider Uber senior management or the FTC, which was wrapping up an investigation related to another, similar data breach from 2014.

Prosecutors recommended that U.S. District Judge William Orrick, who presided over the case, sentence Sullivan to 15 months in prison as a deterrent to future white-collar criminals. Orrick ultimately did not follow the prosecution's advice, but warned during the sentencing hearing that security executives who engage in such behavior should expect jail time in the future. In addition, the judge said he felt that former Uber CEO Travis Kalanick was "just as culpable" as Sullivan, and he was troubled that the former CEO did not appear at the trial.

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the Joe Sullivan sentencing, whether probation and community service were appropriate penalties, and what effect it will have on the cybersecurity industry.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a writer, journalist and podcaster based in Boston.