SAN FRANCISCO – Uber Technologies’ former security chief was spared from prison for concealing a massive data breach in 2016.
Joe Sullivan’s sentencing to three years of probation on Thursday followed his conviction by a jury in 2022 of obstructing a government investigation and concealing the theft of personal data of 50 million customers and seven million drivers.
Federal prosecutors had asked United States District Judge William Orrick in San Francisco to impose a 15-month prison term.
The October 2016 hack stayed secret until the following November when it was disclosed by Uber’s new chief executive Dara Khosrowshahi, about three months into his tenure. At the same time, he fired Sullivan.
The judge was urged not to send Sullivan to prison by about 50 current and former chief security officers from companies including Blackstone, Netflix and the US government.
In a letter to Judge Orrick, they argued that the penalty puts professionals and companies in jeopardy for making difficult decisions in unique security situations.
The job requires making “nuanced judgment calls in a largely unregulated environment, which has few explicit rules and regulations, including rules about disclosing data security incidents to the government”, according to the letter.
Sullivan, a former federal prosecutor who previously headed security at Facebook before his stint at Uber, is well-known in Silicon Valley as an expert in the field.
Uber’s mishandling of the 2016 attack on its servers resulted in the company paying US$148 million (S$196.4 million) in a settlement with all 50 states in the country, which at the time was the biggest data breach payout in US history.
Uber had previously been reprimanded by the Federal Trade Commission over a similar data breach from 2014.
Sullivan’s trial focused on cyber security management as well as a shake-up at Uber in 2017 when a series of scandals drove co-founder Travis Kalanick out as CEO.
Jurors rejected Sullivan’s defence that other executives at the ride-hailing giant were aware of the 2016 hack and were responsible for it not being disclosed to regulators for more than a year.
Ahead of the sentencing, Sullivan’s lawyer, Mr David Angeli, argued the crime he was convicted of represents a momentary lapse “unlikely to ever be repeated, and resulting in no demonstrated harm”, in contrast with a lifetime of hard work, achievement and volunteer work.
Sullivan has volunteered as CEO of a non-profit providing humanitarian aid to Ukraine, according to Mr Angeli, who shared with Judge Orrick letters of commendation to Sullivan from Ukrainian defence officials.
Prosecutors argued that the many letters to the judge detailing Sullivan’s good deeds and qualities underscore that he “knew how wrong his conduct was”.
Prosecutors asked the judge to send a message with the sentencing so that every other well-connected corporate executive in cyber security and other fields “knows that the sanction for such a failure will be significant and meaningful”.
Sullivan’s conviction “stands as shocking proof that even such a revered figure in his community will resort to criminal activity when his reputation is on the line and he thinks no one is watching”, prosecutors said in a court filing.
Mr Samuel Levine, the director of the Federal Trade Commission’s bureau of consumer protection, said in a letter to Judge Orrick that after Sullivan misled the agency, it had to reopen a closed investigation of Uber’s data security and renegotiate an earlier 2014 agreement with the company stemming from a similar data breach.
The security officers who wrote in support of Sullivan voiced concern that executives in their roles could face unwarranted criminal and civil liability.
Security chiefs must present cyber security risks to top executives “so that breach reporting and other such decisions are made by upper management and lawyers, not us”, according to the letter.
“The fear of later second-guessing, or finding that a decision was wrong in retrospect, may interfere with our ability to respond quickly in a crisis, damaging our organisations and customers.” BLOOMBERG
