Joseph Sullivan, the ex-security chief of Uber, has been sentenced to three years of probation and 200 hours of community service for his involvement in a data breach scandal that occurred seven years ago. The security breach, which took place in 2016, enabled two hackers to obtain the private information of approximately 57 million Uber users and drivers. After notifying Sullivan about the security breach, the hackers demanded $100,000 to remain silent, which Sullivan paid through the company’s bug bounty program using Bitcoin.
According to the U.S. Attorney’s Office for the Northern District of California, Sullivan has been accused of intentionally hiding, redirecting, and deceiving the Federal Trade Commission regarding the data breach. These allegations were made in a press release from 2020 after Sullivan was charged with obstruction of justice, and he was subsequently found guilty in October.
According to The Wall Street Journal, federal prosecutors had initially suggested a prison sentence of 24 to 30 months for Sullivan before his sentencing on Thursday. Nevertheless, San Francisco district judge William Orrick granted Sullivan a more lenient sentence due to the unusual circumstances surrounding the case, Sullivan’s character, and the fact that it was the first offense of its kind. Nonetheless, Orrick emphasized that future offenders should not expect the same level of leniency.
The Wall Street Journal reported, “If there are additional offenders, they should anticipate being incarcerated, irrespective of any other considerations, and I hope that everyone understands that.”
According to Bloomberg, Judge Orrick received a letter signed by nearly 50 current and former chief security officers from various companies, such as Netflix, Blackstone, and the U.S. government, urging him not to send Sullivan to prison. The letter emphasized that security officers operate in an environment with minimal explicit rules and regulations, including those about disclosing data security incidents to the government, and that the job requires making nuanced judgment calls.