This article is more than 1 year old

Ex-Uber CSO gets probation for covering up theft of data on millions of people

Exec begged judge for leniency – and it worked

Joe Sullivan won't serve any serious time behind bars for his role in covering up Uber's 2016 computer security breach and trying to pass off a ransom payment as a bug bounty.

A San Francisco judge on Thursday sentenced the app maker's now-former chief security officer to three years of probation plus 200 hours of community service, despite prosecutors' pleas to throw Sullivan in the cooler.

Late last month federal officials urged the judge to sentence Sullivan to 15 months in prison for covering up the theft of data from Uber's IT systems and lying to watchdogs about the intrusion.

"Corporate leaders are called upon to do the right thing even when it is embarrassing, even when it is bad for the company's bottom line," they said [PDF]. "Nobody, neither corporations nor the executives who lead them, is above the law."

Sullivan, who previously worked as a cybercrime prosecutor for the US Department of Justice, submitted a letter [PDF] to the judge in which he said he "deeply regrets" his actions in 2016 and urged leniency, to "give me a chance to use what has happened here to give back to my community."

In October, a jury found Sullivan guilty of two felonies related to covering up the theft of Uber drivers and customers' personal information. The conviction followed earlier charges of obstruction of justice and misprision, or concealing a felony from law enforcement.

The charges, and today's sentencing, stems from an intrusion in 2016 during which crooks broke into the ride-share and food-delivery app developer's network and stole 57 million customer and driver records. Sullivan and Craig Clark, Uber's then legal director of security and law enforcement, were fired as a result.

Travis Kalanick, who was Uber's CEO at the time of the theft, was not charged related to the intrusion, although he allegedly discussed with Sullivan a strategy for handling the breach. Today in court, Judge William Orrick reportedly said he believes Kalanick is "just as culpable" as Sullivan for the cover-up.

These days, Kalanick is worth $4 billion, according to Forbes, and serves as CEO of CloudKitchens, a real estate company that provides kitchens for delivery-only restaurants, that has raised money from the Saudi Arabia Public Investment Fund and Microsoft.

Sullivan, according to court documents [PDF], learned of the theft in November 2016, about 10 days after providing testimony to the US Federal Trade Commission about a 2014 cyberattack on Uber. Concerned that another data security breach would harm the company, Sullivan tried to cover up that 2016 heist.

"Thereafter, Sullivan engaged in a scheme designed to ensure that the data breach did not become public knowledge, was concealed, and was not disclosed to the FTC," court docs read.

This scheme involved trying to pass off a total of $100,000 in ransom payments, made to the thieves to recover the stolen data, as a bug bounty award. At the time, Uber's highest reward offered to find and disclose vulnerabilities was $10,000.

Both of the thieves, Brandon Glover and Vasile Mereacre, pleaded guilty in 2019. They haven't yet been sentenced, and Mereacre testified at Sullivan's trial last fall.

Uber, meanwhile, went on to suffer several more data-theft fiascoes. ®

More about


Send us news

Other stories you might like