Prosecutors Asked for 15 Month Sentence; Sullivan Instead Gets 3 Years of Probation
Joe Sullivan, the former chief security officer of Uber, will not spend time in prison for his role in impeding a federal investigation into the ride-hailing company’s security practices. His sentence is three years of probation and a $50,000 fine.
The sentence is less than the 15 months that prosecutors had sought.
Judge William Orrick of the U.S. District for the Northern District of California told Sullivan he would not impose prison time due to the unprecedented nature of the case “and because of your good character.”
Before sentencing, Sullivan addressed the court, his voice at times breaking. “I could have been a good role model in this case, and instead I was a bad role model,” he said.
Probed by Orrick on what he would have done differently, Sullivan said he would have sought the opinion of outside counsel. After prompting from Orrick, he added that he would have consulted with corporate general counsel.
A jury convicted Sullivan, 54, in October on two felonies, finding him guilty of obstruction and misprision of a felony, which refers to knowing something is a felony and covering it up (see: Jury Finds Former Uber CSO Joe Sullivan Guilty of Cover-Up).
The unique nature of the case stems how the obstruction didn’t “have to do with money, have to do with greed,” Orrick said.
“But if I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison,” Orrick said.
Sullivan’s tenure as Uber chief security officer ended in 2017 after he oversaw a payment made in the guise of a bug bounty of $100,000 in bitcoin to two hackers who in 2016 stole driver and rider account data of 57 million individuals, including 600,000 driver’s license numbers.
Prosecutors have emphasized their case wasn’t motivated by Sullivan’s response to the hacking incident but by the fact that he concealed it from the Federal Trade Commission, which was investigating Uber for an earlier data breach in 2014 that had similar underlying causes. The 2016 breach occurred just days after Sullivan testified to the FTC that Uber under his watch had fixed problems revealed by the earlier incident.
Orrick repeatedly stressed during Thursday’s sentencing hearing that cybersecurity professionals should not view the prosecution as being based on bad calls made during the heat of responding to a cybersecurity incident.
It’s a serious violation for “any citizen to conceal, if not outright lie, to a government entity that is involved in protecting the public from big things like huge data breaches,” Orrick said.
Update May 4, 2023 23:18 UTC: This story had been updated throughout.