Uber Technologies Inc.’s former security chief was spared from prison for concealing a massive data breach in 2016.
(Bloomberg) — Uber Technologies Inc.’s former security chief was spared from prison for concealing a massive data breach in 2016.
Joe Sullivan’s sentencing to three years of probation Thursday followed his conviction by a jury last year of obstructing a government investigation and concealing the theft of personal data of 50 million customers and 7 million drivers.
Federal prosecutors had asked US District Judge William H. Orrick in San Francisco to to impose a 15-month prison term.
The October 2016 hack stayed secret until the following November when it was disclosed by Uber’s new chief executive officer, Dara Khosrowshahi, about three months into his tenure. At the same time, he fired Sullivan.
The judge was urged not to send Sullivan prison by about 50 current and former chief security officers from companies including Blackstone Inc., Netflix Inc. and the US government. In a letter to Orrick, they argued the penalty puts professionals and companies in jeopardy for making difficult decisions in unique security situations.
The job requires making “nuanced judgment calls in a largely unregulated environment, which has few explicit rules and regulations, including rules about disclosing data security incidents to the government,” according to the letter.
Sullivan, a former federal prosecutor who previously headed security at Facebook before his stint at Uber, is well-known in Silicon Valley as an expert in the field.
Uber’s mishandling of the 2016 attack on its servers resulted in the company paying $148 million in a settlement with all 50 states, which at the time was the biggest data-breach payout in US history. Uber had previously been reprimanded by the Federal Trade Commission over a similar data breach from 2014.
Sullivan’s trial focused on cyber security management as well as a shakeup at Uber in 2017 when a series of scandals drove co-founder Travis Kalanick out as CEO. Jurors rejected Sullivan’s defense that other executives at the ride-hailing giant were aware of the 2016 hack and were responsible for it not being disclosed to regulators for more than a year.
Ahead of the sentencing, Sullivan’s lawyer, David Angeli, argued the crime he was convicted of represents a momentary lapse “unlikely to ever be repeated, and resulting in no demonstrated harm,” in contrast with a lifetime of hard work, achievement and volunteer work.
Sullivan has volunteered as a CEO of a non-profit providing humanitarian aid to Ukraine, according to Angeli, who shared with Orrick letters of commendation to Sullivan from Ukrainian defense officials.
Prosecutors argued that the many letters to the judge detailing Sullivan’s good deeds and qualities underscore that he “knew how wrong his conduct was.
Prosecutors asked the judge to send a message with the sentencing so that every other well-connected corporate executive in cybersecurity and other fields “knows that the sanction for such a failure will be significant and meaningful.”
Sullivan’s conviction “stands as shocking proof that even such a revered figure in his community will resort to criminal activity when his reputation is on the line and he thinks no one is watching,” prosecutors said in a court filing.
Samuel Levine, the director of the Federal Trade Commission’s bureau of consumer protection, said in a letter to Orrick that after Sullivan misled the agency, it had to reopen a closed investigation of Uber’s data security and renegotiate an earlier 2014 agreement with the company stemming from a similar data breach.
The security officers who wrote in support of Sullivan voiced concern that executives in their roles could face unwarranted criminal and civil liability.
Security chiefs must present cybersecurity risks to top executives “so that breach reporting and other such decisions are made by upper management and lawyers, not us,” according to the letter. “The fear of later second-guessing, or finding that a decision was wrong in retrospect, may interfere with our ability to respond quickly in a crisis, damaging our organizations and customers.”
The case is U.S. v. Sullivan, 20-cr-00337, U.S. District Court, Northern District of California (San Francisco).
More stories like this are available on bloomberg.com
©2023 Bloomberg L.P.