720-891-1663

Former Uber CISO Escapes Jail Time

The Uber breach saga continues. Joe Sullivan, Uber’s former CISO, was convicted of lying to the feds about a breach that happened in 2016. Hackers broke in to Uber and stole data on 57 million customers and 600,000 drivers.

One of the counts he was convicted of was hiding the 2016 breach from the feds were interviewing him. While he was giving sworn testimony about the 2014 breach.

The second count he was convicted of was covering up the 2016 breach. They say he hid the breach from executives at Uber. Maybe that is true. Seems unlikely but maybe.

Sullivan worked a deal with the hackers. He “converted” the breach into a bug bounty, paid the hackers $100,000 and had them sign an NDA. The hackers agreed that they had not accessed any sensitive data – which was a lie.

That was the largest bribe Uber had paid under the bug bounty program, although, according reports, bribes, well, maybe this was not a one-off.

Uber brought in a new CEO in 2017 and at Sullivan’s trial the CEO said he fired Sullivan when he found out that Sullivan had lied to him about the breach.

The feds wanted the judge to sentence him to 15 months.

Sullivan’s attorney, at sentencing, said that Sullivan had kept the former CEO and some members of the legal team fully informed. I believe, in legal terms, they would be known as un-indicted co-conspirators.

His attorney claimed that he wanted the hackers not to sell the data and I am sure that he did not want that to happen.

The judge said he had received 186 letters, arguing both to throw him in jail and give him leniency.

The judge also said that the CEO was just as culpable as Sullivan – except that Joe was convicted and Kalanick walked away. He probably got a severance and, as a co-founder of Uber, probably has a lot of Uber stock.

I am siding with Sullivan from what I know. He got away with three years probation, a $50,000 fine and 200 hours of community service.

The judge said that if he had a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison.

During sentencing Judge Orrick said “When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”

This case has gotten so much press that likely every judge in the country knows about it and probably has an opinion about the sentence.

This should be considered a shot-across-the-bow to executives everywhere that hiding a breach might not work out so good for them. Joe got lucky. The next person probably won’t be so lucky.

Credit: Dark Reading and The Record

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *