iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
In a salutary example of what can happen when an employee tries to cover up a data breach, ex-Uber chief security officer Joseph Sullivan has been sentenced to a three-year term of probation.
Sullivan has also been ordered by a US Federal Court judge to pay a fine of $US50,000.
The result is far lighter than that sought by prosecutors, who had asked for a one-year and three-month prison sentence.
Sullivan joined Uber in 2015 as the company’s first CSO, after previously working at eBay and Facebook and a stint as assistant US attorney at the Northern District of California in the early 2000s. At Uber, Sullivan played a role in ensuring the safety of drivers and passengers, both physically and digitally.
However, when he received a ransom note from hackers in 2016, he and others in his team confirmed that the records of 57 million users had been compromised, as well as 600,000 driver’s licences. Instead of properly reporting the breach, he informed one of the company’s legal team, who agreed that the breach should be covered up, particularly from the Federal Trade Commission.
Sullivan told his team that “the story outside of the security group was to be that ‘this investigation does not exist’.” He went on to pay the US$100,000 ransom himself, claiming it as a “bug bounty” on the company’s books.
The lawyer in question, Craig Clark, was fired alongside Sullivan in 2017 when Uber executives learnt of the full extent of the cover-up. Clark subsequently testified against Sullivan in return for immunity.
Before charges were finally laid against Sullivan in 2020, he went on to take the role of chief security officer at cloud security company Cloudflare. In that role, he was responsible for investigating the infamous Log4Shell vulnerability.
Sullivan was convicted of one count of obstruction of justice and one count of misprision of felony — an offence that applies in the case of defendants who have a particular duty to report a crime but have actively concealed that crime.
This is the first time a corporate executive has faced US federal prosecution over their handling of a data breach. It may also be the first time it has occurred in any jurisdiction and will no doubt become an important precedent.
Despite the original criminal complaint also naming then-Uber chief executive Travis Kalanick as being aware of the ransom being paid, no other Uber executives are facing charges over the matter.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
