Uber security CEO who concealed a 2016 data breach will not have to go to jail

Joe Sullivan, Uber’s former chief information security officer who covered up a major data breach in 2016, has not been jailed. He will receive three years of probation and 200 hours of community service. The public prosecutor wanted a 15-month prison sentence.

The judge describes the relatively mild sentence for Sullivan as an exception. He would owe it to his many previous work to protect people from the kind of cybercrime he concealed in 2016. The judge also noted the fact that the stolen data has not been leaked. In addition, the judge says that he feels influenced by the fact that the case is without precedent. He adds that the next defendant in this position will certainly go to prison, “even if he has the character of the Pope.”

Also unprecedented was the amount of messages of support Sullivan received, addressed to the judge. More than 180 letters in total, including one signed by 40 current or former chief security officers. The Washington Post writes this in its extensive report. The letters also said that other security executives feared prosecution if Sullivan were to go to jail. The judge said that “the writers do not understand the facts of the case” and that Sullivan “deliberately deceived the government, causing actual harm to the FTC and the public.”

What also helped Sullivan’s case is that he left a paper trail of his actions. Testimonies showed that cooperating with the blackmailers was also used to obtain information about them. This was necessary to ensure that they would keep their promise if Uber paid $100,000. In addition, this information was used to track down and charge the two perpetrators. They pleaded guilty.

On November 21, Uber announced that there had been a major data theft in 2016. Hackers then stole names, email addresses and mobile phone numbers of 57 million users. The names and driver’s license numbers of 600,000 drivers in the US were also downloaded.

Uber only reported the incident 371 days after discovering the theft. That happened because Uber’s then-new CEO, Dara Khosrowshahi, believed that “none of this should have happened” and because Sullivan, in the words of The Washington Post, had not “told him more sooner.”