San Francisco judge sentences former Uber security chief to three years’ probation for role in covering up massive 2016 data breach
Joseph Sullivan was found guilty last October of two felony counts related to the breach.
Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan on 4 May to three years of probation.
He also ordered Sullivan to pay a $50,000 (£40,000) fine and to carry out 200 hours of community service.
Orrick said he was showing lenience due to the unusual “one-off” nature of the situation and Sullivan’s good character, but that if further cases of the same kind appear sentencing would involve jail time.
“If there are more, people should expect to spend time in custody, regardless of anything, and I hope everybody here recognises that,” he said.
One of the two felony counts was for actively concealing the breach from the Federal Trade Commission, which at the time was investigating an earlier 2014 breach.
Sullivan withheld information about the 2016 breach from investigators, even as he provided them with sworn testimony about the 2014 incident.
Sullivan’s other felony count was for misprision of a felony, that is, concealing one’s knowledge of a felonious crime from others, in this case including other executives at Uber.
Sullivan’s attorneys argued that prosecutors had overstated the implications of some of Sullivan’s actions, noting that he kept then-chief executive Travis Kalanick and some members of the firm’s legal team fully informed.
But prosecutors noted that if Kalanick had not resigned for unrelated reasons in 2017, and been replaced by current chief Dara Khosrowshahi, the 2016 breach would never have come to light.
At Sullivan’s trial last year Khosrowshahi said he fired Sullivan in 2017 after finding that Sullivan had attempted to mislead him in an email about the 2016 data breach.
Khosrowshahi said he decided to inform regulators of the breach because he felt Sullivan’s failure to do so was “the wrong decision”.
Sullivan paid $100,000 (£79,000) to two hackers after they informed him they had breached Uber’s systems and accessed the records of 57 million customers, including names and phone numbers, as well as 600,000 driving licence numbers.
The hackers asked for a ransom in return for deleting the data, and Sullivan arranged to pay them the funds through Uber’s bug bounty programme.
The hackers agreed to sign a non-disclosure agreement restricting them from telling anyone about the breach.
The hackers faced conspiracy charges in 2019 and pleaded guilty.