Ex-Uber CSO avoids time behind bars

Joe Sullivan has been sentenced to probation and community service

Ex-Uber CSO avoids time behind bars

Joe Sullivan, Uber's former chief security officer who was charged with a covering up a massive hack in 2016, has avoided jail time for his role in the debacle.

Sullivan was found guilty of the charges against him last year, when a San Francisco court concluded that he had failed to report the hack to government authorities and tried to pass off a ransomware payment as a bug bounty.

Despite expectations of jail time - a stay of up to eight years was discussed - a San Francisco judge has sentenced the ex-CSO to three years of probation plus 200 hours of community service.

That is despite prosecutors and federal officials urging the judge to enact a harsher sentence of at least 15 months in prison.

"The evidence at trial demonstrated that Defendant Sullivan prioritised his and his employer's selfish interests over the clear legal obligations owed to the FTC, and he thereby undermined the FTC's mission of protecting consumers," they wrote in a statement [PDF, via The Register].

"Sullivan...harnessed the resources of a multinational corporation to silence witnesses, generated fraudulent corporate paperwork, ratified false statements to the FTC, and lied to Uber's new CEO and internal investigators."

The case dates back to 2017, when Uber admitted covering up a hack in 2016 that had affected more than 57 million people, and paying £75,000 as a ransom for hackers to delete the stolen data.

It took more than a year for then-CEO Travis Kalanick to learn about the breach.

US prosecutors filed charges against Sullivan in 2020, for obstruction of justice and misprision - concealing a crime from law enforcement. He was found guilty of both in October last year.

Benjamin Kingsley, an assistant US attorney, said during closing arguments that Sullivan's actions were "a deliberate withholding and concealing of information."

Interested in hearing more about real-life cybersecurity cases? Join us at the Cybersecurity Festival next week to hear from former head of the Police National Cyber Crime Unit Charlie McMurdie about past investigations.