As per Axios‘ report, Joe Sullivan, who was Uber’s previous chief security officer, has been given a punishment of three years of probation and 200 hours of community service for obstructing a federal investigation and hiding a cyberattack that took place in 2016.
Sullivan’s conviction is notable as he is reportedly the first security executive to be charged with a criminal offense for mishandling a data breach. However, his sentence has divided the cybersecurity community. In October 2022, Sullivan was found guilty of covering up a data breach that impacted 50 million riders and drivers and obstructing a Federal Trade Commission investigation. Uber had paid $100,000 to the hackers to keep the breach secret, using their bug bounty program.
Sullivan left Uber to become Cloudflare’s chief security officer in 2018, but he resigned in July 2022 to prepare for his trial. As noted in DarkReading, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation imposed a $50,000 fine, and mandated 200 hours of community service. However, Orrick noted that the verdict should not be considered a precedent for other cases and that other cybersecurity executives might not be so lucky to avoid a prison term in similar circumstances. Sullivan’s supporters submitted 186 letters to the court before sentencing, including one from former Uber CEO Travis Kalanick.