Uber's ex-CSO avoids prison after data breach cover up

After covering up a data breach that impacted the personal records of 57 million Uber passengers and drivers, the company's former Chief Security Officer has been found guilty and sentenced by a US federal judge.

Joe Sullivan, a former security chief at Facebook, was the CSO at ride-sharing firm Uber in October 2016 when hackers stole the names, email addresses, and phone numbers of customers and drivers.

It later transpired that careless developers at the firm had left their login credentials to an Amazon Web Services bucket used by Uber in a GitHub repository.

After hackers had stolen data from the AWS bucket they contacted Uber and asked for money.

Sullivan then made a series of very unusual decisions for a CSO dealing with a data breach:

• He chose not to warn affected innocent individuals that their data had been stolen
• He chose not to tell regulators about the data breach, or inform the authorities

Instead, he chose to cover up the hack and made arrangements to secretly visit the hackers, paying them $100,000 to sign a confidentiality agreement that news of the breach would never become public.

The payment to the hackers was disguised as a payment from the business's bug bounty program, in exchange for their silence.

As we have described previously on Hot for Security, prosecutors alleged that the ego of the CSO caused him to cover up the security failure in an attempt to both protect his own ego and prevent drivers from defecting to Uber's rivals.

Prosecutors claimed that Uber drivers were "defrauded" as they continued to share a proportion of their fares with the company.

Sullivan, who is himself a former federal prosecutor and after leaving Uber was appointed Cloudflare's CISO, was warned that he could face years in prison if convicted.

However, last week he was told he was receiving a three-year probation sentence, avoiding prison time.

"If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison," Federal judge for the Northern District of California William Orrick told Sullivan. "When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off."