Joseph Sullivan, the former chief security officer at Uber Technologies, was sentenced to three years’ probation by a federal court in San Francisco, following a jury verdict of guilty on criminal obstruction charges relating to a data breach at the ride-hailing giant. The jury rendered its verdict in October, as a result of his failure to report a 2016 cyber intrusion at Uber to federal authorities. Hackers penetrated Uber’s data while it was the subject of a Federal Trade Commission investigation and demanded payment. They asserted that they had obtained around 57 million records, including sensitive customer data, through a “vulnerability” in its technology, and demanded payment. Mr. Sullivan is a former federal prosecutor.
District Judge William Orrick delivered the sentence saying that because of Mr. Sullivan’s character, the unusual nature of the case and that it was the first of its kind, he had shown Mr. Sullivan leniency, but he said chief information security officers shouldn’t expect that in future cases.
“If there are more, people should expect to spend time in custody, regardless of anything, and I hope everybody here recognizes that,” he said. In addition to probation, Mr. Sullivan must also serve 200 hours of community service.
The hackers were paid $100,000.
Judge Orrick said he was concerned that many cybersecurity professionals still didn’t fully grasp how serious the case was.
“To the extent that anybody thinks it wasn’t, that this had to do with judgment calls or anything like that, they do not understand what happened in this case,” he said.
Jeffrey Newman is a whistleblower lawyer representing whistleblowers in the Securities and Exchange Commissions whistleblower program and also under The False Claims Act. He can be reached at Jeff@JeffNewmanLaw.com or at 617-823-3217.
