Estimated reading time: 2 minutes, 3 seconds

Ex-Uber Security Leader Avoids Prison, But Others Are On Notice  

Monday, May 15 2023
Vulnerabilities
Written by  Security Tech Brief Staff

A federal judge in San Francisco has sentenced Joe Sullivan, the former chief security officer at Uber, to three years’ probation for criminal obstruction involving a data breach.

UberBut District Court Judge William Orrick also warned other security executives that they might not be so fortunate as to avoid prison time in such cases.

As Axios reports, Orrick said during the sentencing, “If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison.” Orrick reportedly added, “When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”

As Dark Reading reports, some industry viewed Sullivan as the scapegoat for a wider security lapse at the ride-hailing giant. Prosecutors in the case, meanwhile, had pushed for a 15-month prison stint. Some will probably see the no-prison-time sentence as too little of a deterrent to executives tempted to cover up data breaches in the future.

A federal jury found Sullivan guilty in October 2022 on two felony counts involving a November 2016 data breach at Uber that affected about 57 million customers and 600,000 drivers. One of the counts had to do with withholding information about the breach from Federal Trade Commission authorities who were then probing a 2014 Uber breach.

Along with probation, the judge also sentenced Sullivan to 200 hours of community service and a $50,000 fine.

As The Wall Street Journal reports, current and former security leaders said in letters filed in court documents that a harsh sentence in this potentially precedent-setting case might prompt executives to err on the side of discussing too much. Ed McAndrew, a partner at law firm BakerHostetler and former federal cybercrime prosecutor, said that paying hackers not to publish data and other practices involved in Sullivan’s case were unusual in 2016 but are typical today.

Ira Winkler, field CISO at security risk-management-company Cyesec, told the Journal that Sullivan wasn’t a mere fall guy here. “The lessons from this case show that CISOs should act morally and ethically, and within the bounds of the law,” Winkler said.

Peter Swire, a law and ethics professor at the Georgia Institute of Technology’s Scheller College of Business, told Law.com, “Security chiefs ought to know already that they shouldn’t submit sworn testimony that is untrue or seriously misleading.”

Read 672 times
Rate this item
(0 votes)
More in this category: « Samsung Warns Staff Not to Use AI Like ChatGPT After Leak   U.S. Department of Transportation Investigates Massive Breach   »

Visit other PMG Sites:
PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.
Ok Decline