Update 05/05/23: Late on Thursday, federal judge William Orrick declared Uber’s former head of cybersecurity Joseph Sullivan would suffer no prison time for covering up a massive security breach at the ride-hailing company seven years ago. He is instead being put on probation and must complete 200 hours of community service.
According to The Wall Street Journal, Orrick told the court he was showing Sullivan leniency due to the unusual nature of the case and it being the first of its kind. He also brought up Sullivan’s supposed character thanks to the mass amount of letters showing the ex-cyber security official their support. The judge added that if more cyber security officials go the same route as Sullivan, they could expect actual jail time.
Prosecutors previously argued for up to several years in prison, but Sullivan’s attorneys pointed to the around 180 letters he received attesting to his prior work in cybersecurity. One of those letters was signed by 40 former or current company security execs.
Back in 2016, Uber suffered a security breach resulting in the leak of 57 million users’ names, phone numbers, email addresses—along with the personal info and even drivers’ licenses of 600,000 Uber drivers. Instead of publicly acknowledging the hack, Sullivan and a few staff working for him paid the hackers roughly $100,000 to keep the breach secret. The ransom, paid in bitcoin, came from the company’s bug bounty program, though the company’s typical maximum for bug finding is just $10,000, and Uber did not make any mention of the breach to the public. At that time, the Federal Trade Commission was already investigating the company over another breach that occurred in 2014, before Sullivan signed on as the new security chief after leaving Facebook (now Meta).
According to the Wall Street Journal, Sullivan’s attorneys argued in court that Sullivan made the hackers sign nondisclosure agreements showing they destroyed all the hacked data, though to this day it’s unclear if it was confirmed the hacked data was ever truly deleted. Lawyers for Sullivan argued that agreement was enough assurance to the company for them to classify the incident as a mere bug bounty, as if the hackers were just white hats letting Uber know of its vulnerabilities rather than stealing data.
After Uber’s current CEO Dara Khosrowshahi came onto the scene, reporters uncovered the hack and coverup, and the company soon fired Sullivan and ordered an internal investigation into him and Craig Clark, one of the lawyers who reported to the former CSO.
The ex-Uber exec was charged with obstruction of justice in 2020. A jury convicted Sullivan in October last year of trying to hide the security breach. The court found him guilty of obstruction and misprison of a felony for his work hiding the facts of the security breach from the FTC.
Federal judge for the Northern District of California William Orrick is set to sentence Sullivan sometime after 1:30 p.m. PT, or 4:30 ET. Federal prosecutors have recommended that the ex-Uber exec face between 24 and 30 months of jail time. The U.S. Attorneys also mentioned fellow Uber executive Anthony Levandowski, who previously pleaded guilty and was sentenced to 18 months for stealing trade secrets from Google.
“If not for the fortuitous arrival of new leadership at Uber, there is every reason to believe the tens of millions of victims of the 2016 Data Breach never would have learned about it,” prosecutors wrote in their sentencing memorandum.
Gizmodo reached out to Sullivan’s attorneys from the Angeli Law Group, but we did not immediately hear back. His lawyers have argued in court documents that any amount of jail time would be “not necessary” since he “has suffered, and will continue to suffer, significant consequences because of this case.” His attorneys also responded to the fed’s request for two years or more of jail, asking the court to take into account his devotion to his family and “staunch commitment to public service.”
The company has experienced major hacks, like in 2022 when the LAPSUS$ gang managed to access the company’s internal network and Slack channel. The company was much quicker to provide details on that breach than its previous hacks. Uber has tried to fix its image from being the data hungry mammoth it is. Though the company has been more willing to show users what kind of data it has on users, it still plans to use more of customers’ data to conduct more native advertising while in-app.