Uber Ex-Safety Chief Joe Sullivan to Be Sentenced for Breach

Replace 05/05/23: Late on Thursday, federal decide William Orrick declared Uber’s former head of cybersecurity Joseph Sullivan would endure no jail time for masking up an enormous safety breach on the ride-hailing firm seven years in the past. He’s as an alternative being placed on probation and should full 200 hours of neighborhood service.

In line with The Wall Street Journal, Orrick advised the court docket he was exhibiting Sullivan leniency as a result of uncommon nature of the case and it being the primary of its variety. He additionally introduced up Sullivan’s supposed character due to the mass quantity of letters exhibiting the ex-cyber safety official their help. The decide added that if extra cyber safety officers go the identical route as Sullivan, they may count on precise jail time.

Prosecutors beforehand argued for as much as a number of years in jail, however Sullivan’s attorneys pointed to the round 180 letters he obtained testifying to his prior work in cybersecurity. A type of letters was signed by 40 former or present firm safety execs. 

Authentic story:

Again in 2016, Uber suffered a safety breach ensuing within the leak of 57 million customers’ names, cellphone numbers, e-mail addresses—together with the non-public data and even drivers’ licenses of 600,000 Uber drivers. As a substitute of publicly acknowledging the hack, Sullivan and a few staff working for him paid the hackers roughly $100,000 to keep the breach secret. The ransom, paid in bitcoin, got here from the corporate’s bug bounty program, although the corporate’s typical most for bug discovering is simply $10,000, and Uber didn’t make any point out of the breach to the general public. At the moment, the Federal Commerce Fee was already investigating the corporate over one other breach that occurred in 2014, earlier than Sullivan signed on as the brand new safety chief after leaving Facebook (now Meta).

In line with the Wall Street Journal, Sullivan’s attorneys argued in court docket that Sullivan made the hackers signal nondisclosure agreements exhibiting they destroyed all of the hacked knowledge, although to at the present time it’s unclear if it was confirmed the hacked knowledge was ever actually deleted. Attorneys for Sullivan argued that settlement was sufficient assurance to the corporate for them to categorise the incident as a mere bug bounty, as if the hackers had been simply white hats letting Uber know of its vulnerabilities fairly than stealing knowledge.

After Uber’s present CEO Dara Khosrowshahi got here onto the scene, reporters uncovered the hack and coverup, and the corporate quickly fired Sullivan and ordered an inside investigation into him and Craig Clark, one of many legal professionals who reported to the previous CSO.

The ex-Uber exec was charged with obstruction of justice in 2020. A jury convicted Sullivan in October last year of making an attempt to cover the safety breach. The court docket discovered him guilty of obstruction and misprison of a felony for his work hiding the info of the safety breach from the FTC.

Federal decide for the Northern District of California William Orrick is ready to condemn Sullivan someday after 1:30 p.m. PT, or 4:30 ET. Federal prosecutors have recommended that the ex-Uber exec face between 24 and 30 months of jail time. The U.S. Attorneys additionally talked about fellow Uber govt Anthony Levandowski, who beforehand pleaded responsible and was sentenced to 18 months for stealing trade secrets from Google.

“If not for the fortuitous arrival of latest management at Uber, there’s each cause to imagine the tens of tens of millions of victims of the 2016 Knowledge Breach by no means would have realized about it,” prosecutors wrote of their sentencing memorandum.

Gizmodo reached out to Sullivan’s attorneys from the Angeli Legislation Group, however we didn’t instantly hear again. His legal professionals have argued in court docket paperwork that any quantity of jail time can be “not vital” since he “has suffered, and can proceed to endure, vital penalties due to this case.” His attorneys additionally responded to the fed’s request for 2 years or extra of jail, asking the court docket to take note of his devotion to his household and “staunch dedication to public service.”

The corporate has skilled main hacks, like in 2022 when the LAPSUS$ gang managed to access the company’s internal network and Slack channel. The corporate was a lot faster to offer particulars on that breach than its earlier hacks. Uber has tried to repair its picture from being the data hungry mammoth it’s. Although the corporate has been more willing to show users what kind of data it has on users, it nonetheless plans to make use of extra of consumers’ knowledge to conduct more native advertising while in-app.