Joe Sullivan, former Chief Security Officer of Uber, avoids prison time for concealing data breach

Former Uber CSO, Joe Sullivan, has been sentenced to probation and 200 hours of community service after being found guilty of obstructing an FTC investigation into a data breach that the company suffered in 2014, and for hiding a larger breach in 2016 that compromised the information of over 50 million Uber users and drivers. Sullivan was charged in August 2020 and found guilty in October 2022. Prosecutors had hoped for a 15-month prison sentence, while the defense argued for probation.

Sullivan was accused of instructing the hackers involved in the 2016 breach to falsely claim that no data had been stolen, and of hiding the full extent of the hack from Uber’s new management. The hackers, who pleaded guilty in 2019, were instrumental in the prosecution’s case against Sullivan. The case is being closely watched by CISOs and other cybersecurity leaders, who are concerned about the potential liability for their decisions and disclosures related to breaches and security incidents.