Former Chief Security Officer for ride-hailing service Uber, Joseph Sullivan, has been sentenced to three years of probation and ordered to pay a $50,000 fine for his attempt to cover up a massive data breach in 2016.
The breach exposed tens of millions of customer records to hackers, and Sullivan was convicted of obstructing justice and concealing the knowledge of a federal felony committed in San Francisco last October.
This marks the first criminal prosecution of a company executive for a data breach.
Sullivan was hired as Uber's Chief Security Officer in 2015 and was emailed by hackers in November 2016, confirming that they had stolen records on about 57 million users and 600,000 driver’s license numbers.
He initiated a plan to hide the breach from the public and the Federal Trade Commission, which had been investigating a smaller 2014 hack.
According to the US attorney's office, Sullivan arranged to pay the hackers $100,000 in bitcoin and never mentioned the breach to Uber lawyers involved with the FTC's inquiry. He also told subordinates that "the story outside of the security group was to be that 'this investigation does not exist'’."
Uber's new management uncovered the truth during an investigation in the fall of 2017, and the breach was made public.
Sullivan was fired along with Uber lawyer Craig Clark, who had been told about the breach. Clark testified against Sullivan after being given immunity by prosecutors. While prosecutors had recommended a 15-month sentence in federal prison, Sullivan's lawyers argued that he had already suffered significant consequences as a result of the case.
The hackers responsible for the breach pleaded guilty in 2019 to computer fraud conspiracy charges and are awaiting sentencing. No other Uber executives were charged in this case.