Ex-Uber security chief sentenced for data-breach cover-up
The former chief security officer for Uber has been sentenced to probation for trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.The former chief security officer for Uber was sentenced to probation Thursday for trying to cover up a 2016 data breach in which hackers accessed tens of millions of customer records from the ride-hailing service.
Joseph Sullivan was sentenced to a three-year term of probation and ordered to pay a fine of $50,000, the U.S. attorney's office announced.
Sullivan, 54, of Palo Alto was convicted by a federal jury in San Francisco last October of obstructing justice and concealing knowledge that a federal felony had been committed.
It was believed to be the first criminal prosecution of a company executive over a data breach.
Sullivan was hired as Uber’s chief security officer in 2015. In November 2016, Sullivan was emailed by hackers, and employees quickly confirmed that they had stolen records on about 57 million users and also 600,000 driver’s license numbers, prosecutors said.
After learning of the breach, Sullivan began a scheme to hide it from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack, authorities said.
According to the U.S. attorney’s office, Sullivan told subordinates that “the story outside of the security group was to be that ‘this investigation does not exist,’ ” and arranged to pay the hackers $100,000 in bitcoin in exchange for them signing non-disclosure agreements promising not to reveal the hack. He also never mentioned the breach to Uber lawyers who were involved with the FTC’s inquiry, prosecutors said.
Uber’s new management began investigating the breach in the fall of 2017. Despite Sullivan lying to the new chief executive officer and others, the truth was uncovered, and the breach was made public, prosecutors said.
Sullivan was fired along with Craig Clark, an Uber lawyer he had told about the breach. Clark was given immunity by prosecutors and testified against Sullivan.
Prosecutors had recommended a sentence of 15 months in federal prison for Sullivan, who submitted more than 100 letters of support from friends, family and colleagues.
In an April sentencing memo, prosecutors said that showed that Sullivan is "a wealthy, powerful man" with a deep network of family and friends.
“There cannot be two different systems of justice, one for the privileged and another for the rest,” the memo argued. “Any such perception would do grievous damage to public respect for the law.”
His lawyers argued that Sullivan already “has suffered, and will continue to suffer, significant consequences because of this case.”
No other Uber executives were charged in the case.
The hackers pleaded guilty in 2019 to computer fraud conspiracy charges and are awaiting sentencing.