Joseph Sullivan, the former chief security officer of Uber, has been sentenced to three years of probation instead of jail time for his involvement in covering up a cyber-attack from authorities.
Sullivan was convicted of making a payment of $100,000 to hackers who had gained unauthorized access to 57 million records of Uber customers, which included personal information such as names and phone numbers.
In addition to probation, he has been ordered to pay a $50,000 fine and perform 200 hours of community service. Initially, prosecutors had requested a 15-month prison sentence. Sullivan was also found guilty of impeding an investigation conducted by the Federal Trade Commission.
Judge William Orrick, as reported by the Wall Street Journal, stated that he showed leniency to Sullivan due to the unique nature of the case and the individual’s character.
“If there are more, people should expect to spend time in custody, regardless of anything, and I hope everybody here recognises that,” he said.
In 2015, Sullivan assumed the position of Uber’s chief security officer.
According to the US Department of Justice (DOJ), in November 2016, the individuals who launched an attack on Uber sent an email to Sullivan, informing him that they had obtained a substantial amount of data and would delete it in exchange for a ransom.
Sullivan’s team members confirmed that data, including records of 57 million Uber users and 600,000 driver’s license numbers, had indeed been stolen.
Based on the DOJ’s account, Sullivan coordinated the payment of $100,000 to the hackers, contingent upon their signing non-disclosure agreements prohibiting them from revealing the breach to anyone.
Disguised as a “bug bounty,” a reward typically given to cybersecurity researchers who identify and disclose vulnerabilities to facilitate their resolution, the payment was made to the hackers in December 2016.
Subsequently, in 2019, the hackers were charged with conspiracy and pleaded guilty to the charges.