Uber security chief who concealed data breach from 2016 does not have to go to prison

Joe Sullivan, the former chief information security officer of Uber who concealed a major data breach in 2016, has not been jailed. He will receive three years of probation and 200 hours of community service. The public prosecutor wanted 15 months in prison.

The judge calls the relatively lenient sentence for Sullivan an exception. He would owe it to his many previous work protecting people from the kind of cybercrime he was hiding in 2016. The judge also noted the fact that the stolen data was not leaked. In addition, the judge says he feels influenced by the fact that the case is without precedent. He adds that the next defendant in this position will certainly go to prison, “even if he has the character of the pope.”

Also without precedent, the amount of support Sullivan received was addressed to the judge. There were more than 180 letters in total, including one signed by 40 current or former chief security officers. That writes the Washington Post in its extensive report. The letters also said that other top security executives feared prosecution if Sullivan went to jail. Of those, the judge says that “the writers don’t understand the facts of the case” and that Sullivan “deliberately defrauded the government, causing actual harm to the FTC and the public.”

What also helped Sullivan’s case is that he left a paper trail of his dealings. Testimonies showed that cooperating with the blackmailers was also used to obtain information about them. This was necessary to ensure that they would keep their promise if Uber paid $100,000. In addition, this information was used to track down and charge the two perpetrators. They pleaded guilty.

On November 21, Uber announced that there was a major data theft in 2016. Hackers then captured names, email addresses and mobile phone numbers of 57 million users. The names and driver’s license numbers of 600,000 drivers in the US were also downloaded.

Uber only reported the incident 371 days after discovering the theft. That happened because Uber’s then-new CEO, Dara Khosrowshahi, felt that “none of this should have happened” and because, in the words of The Washington Post, Sullivan had not “told him more before.”