Ex-Uber Security Chief Avoids Prison Time Over 2016 Hack Cover-up

Uber's former security chief has avoided jail time following an attempted cover-up of a 2016 data breach. 

Joe Sullivan, Uber's former CSO, was convicted in 2022 on two counts for covering up the data theft of over 50 million Uber customers and employees - becoming the first corporate leader to be found guilty of a hack committed by outsiders. 

Sullivan faced a total of eight years in prison for obstructing justice and concealing knowledge that a federal felony had been committed, but a US District judge in San Francisco yesterday (May 4) sentenced him to three years of probation and 200 hours of community service. 

The 2016 hack

Joe Sullivan was hired as Uber's chief security officer in 2015. In 2016, Sullivan was emailed by hackers claiming to have stolen records on around 57 million Uber users and 600,000 Uber drivers - something which was quickly internally confirmed. 

After learning of the breach, Sullivan hid it from both the public and the FTC, who were at the time investigating an unrelated attack from two years earlier. 

He then arranged to pay the hackers $100,000 in Bitcoin in return for them signing an NDA promising not to reveal the hack. 

The hack wasn't discovered until the autumn of 2017, when Uber's new management uncovered the truth and the breach was made public. It was then that Sullivan's lies came to light, prosecutors said. 

Sullivan was fired along with Craig Clark; an Uber lawyer that he had confided in. Clark was later given immunity by prosecutors and testified against Sullivan. 

The hackers pleaded guilty in 2019 to computer fraud conspiracy charges and are awaiting sentencing.

Meanwhile, Sullivan was convicted of obstruction of proceedings of the Federal Trade Commission and misprision of felony, meaning concealing knowledge of a felony from authorities.

The case is especially important as i's the first time a security executive has faced criminal charges for mishandling a data breach. The court case itself was also proven to be a public spectacle, with Judge William Orrick saying he has received 186 letters from Sullivan's friends, family and industry peers asking for leniency.

The conviction comes at a turbulent time for Uber, with the company suffering its third breach in six months back in April. 

'A relief for cybersecurity executives'

Dr. Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, told EM360: “The no-prison sentencing decision is certainly a relief for many cybersecurity executives who were closely watching this unprecedented incident.

"The decision shall, however, be prudently regarded through the prism of rapidly growing personal liability of cybersecurity executives and board members for security incidents and data breaches: most countries are enthusiastically developing new legislation that provides administrative, civil and even criminal sanctions for corporate management.

"A recent example comes from Finland, where in April 2023, a former CEO of a breached healthcare institution got a three-month suspended sentence. To avoid such debacles, executives shall take cybersecurity extremely seriously, establishing and enforcing a long-term data protection strategy within their organizations.

"Regular external and internal audits must be conducted to timely detect possible deficiencies and to ensure continuous improvement of their cyber resilience. All activities shall be properly documented and always be available for audit or inspection to demonstrate diligence, compliance and due care.

"Additionally, executives may consider incorporating protective clauses into their employment contracts to cover their personal litigation expenses by the employer when sued by third parties or prosecuted by state authorities. In the near future, we will likely see a surging number of civil actions and criminal prosecutions of executives for data breaches.”