Former Uber Technologies chief security officer (CSO) Joseph Sullivan was sentenced to probation Thursday for trying to cover up a 2016 data breach and theft of tens of millions of customer records, the Associated Press said.
Convicted last October by a jury of hiding the incident from the U.S. Federal Trade Commission, Sullivan was sentenced to three years’ probation and ordered to pay a fine of US$50,000.
His conviction was the first criminal prosecution of a company official over a data breach.
Bloomberg News reported the San Francisco jury rejected his defence that other executives knew about the coverup and were responsible, convicting him of obstructing a government investigation and concealing the theft of personal data of 50 million customers and 7 million drivers. That included over 800,000 Canadians.
Prosecutors had recommended a sentence of 15 months in federal prison.
“I think that considering the guilty verdict, Judge Orrick’s sentencing of Joe to three years probation and 200 community service hours, was well balanced and appropriate,” commented Avishai Avivi, CISO of SafeBreach. The judge did note that former Uber CEO Travis Kalanick was “just as culpable,” Avivi added. “While I understand some may be disappointed that Mr. Sullivan avoided jail time, Judge Orrick made sure to note that this was that this was an ‘unusual one-off.'” Judge Orrick also noted that if he has a similar case in the future, ‘even if the defendant had the character of Pope Francis, they would be going to prison’ — sending a clear message to the CISO and business community, and confirming to the Justice department that this was a one-off leniency.”
This case should also recognize “that the CISO is a business partner,” Avivi said, “and that partnership should enable the CISO to avoid having to deal with the ethical dilemma Sullivan had to face, and ultimately bear the consequences of his choice.”