SAN FRANCISCO — Former Uber chief security officer Joe Sullivan avoided prison Thursday as he was sentenced for covering up the 2016 theft of company data on 50 million Uber customers while the company was being investigated by the Federal Trade Commission over a previous breach.
Ex Uber security chief Joe Sullivan is sentenced
U.S. District Judge William Orrick sentenced Sullivan to three years of probation, noting his significant past work in protecting people from the sort of crime he later concealed. He also said that Sullivan’s steps had succeeded in keeping the stolen data from being exposed.
Orrick said he felt former Uber Chief Executive Travis Kalanick was equally responsible for what he considered a serious offense, and he wondered aloud why he had not been charged.
Sullivan’s conviction shocked many security professionals, many of whom saw Sullivan, a onetime federal cybercrime prosecutor, as an industry leader who continued to work in the public interest as the top security executive at Facebook, Uber and Cloudflare.
They also criticized the government for criminalizing questionable judgment in paying off extortionists when the practice has become a regular occurrence at U.S. companies hit by ransomware. The FBI has said it will not pursue charges against those who approve payouts that do not go to gangs sanctioned for working in concert with Russian authorities or targeting critical infrastructure.
More than 180 letters were filed with the judge praising Sullivan and asking that he be spared jail time to continue helping defenders and victims of security failures. One of the letters was signed by 40 current or former chief security or chief information security officers.
But prosecutors sought 15 months in prison, arguing that so many people rallied to support Sullivan because he was wealthy and well-connected, and that justice required such defendants be treated the same way as poor outcasts.
Sullivan “has a spotless history. He is respected in his community. He is an innovator in his field,” the San Francisco U.S. attorney’s office wrote in a sentencing memo. “But, when given the opportunity to choose between himself and adherence to the law, he chose himself. Worse than that, Defendant Sullivan prioritized his and Uber’s interests over those of the tens of millions of Uber users and riders who trusted their personal information to the company.”
Both sides said their favored outcome would help solidify cooperation between U.S. officials and private security efforts, a priority for the administration as criminal hacking gets more sophisticated and more intertwined with foreign government interests.
Kiersten Todt, who recently stepped down as chief of staff at the federal Cybersecurity and Infrastructure Security Agency, wrote to the judge that top executives had warned her that the verdict would “make it impossible to recruit smart people into the roles of CISOs and CSOs if imprisonment is on the table — and will set the industry back.”
From the bench, Orrick said that letters in which other security executives said they too feared prosecution showed that the writers did not understand the facts of the case. He said Sullivan deliberately deceived the government, causing real harm to the FTC and the public.
Speaking briefly and emotionally before the judge pronpunced the sentence, Sullivan took responsibility and apologized for hurting his family, friends and the “noble profession” of cybersecurity.
“I was a bad role model,” Sullivan said in a halting voice. “We’re there to be the champion of the customer, and I failed in this case.”
Citing the letters in their own memo, Sullivan’s attorneys recounted numerous good deeds, such as establishing eBay’s trust and safety team and a Facebook child-safety effort that his successor there, Alex Stamos, credited with delivering three-fourths of all notifications to the National Center for Missing and Exploited Children in 2021.
“It is not unreasonable to say that Joe and the handful of other executives who tackled this problem in those early days are likely responsible for more global prosecutions of child sexual exploitation than pretty much any other living people,” wrote Stamos, now director of the Stanford Internet Observatory.
The criminal case against Sullivan started when a hacker emailed Uber anonymously and described a security lapse that allowed him and a partner to download data from one of the company’s Amazon repositories.
It emerged that they had used a stray digital key Uber had left exposed to get into the Amazon account, where they found and extracted an unencrypted backup of data on more than 50 million Uber riders and 600,000 drivers.
Sullivan’s team steered them toward Uber’s bounty program and noted that the top payout under it was $10,000. The hackers said they would need six figures and threatened to release the data.
Negotiation ended with a $100,000 payment and a promise from the hackers that they had destroyed the data and would not disclose what they had done. While prosecutors called it a coverup, testimony showed that Sullivan’s staff used the process to get clues that would lead them to the real identities of the perpetrators, which they felt was necessary leverage to hold them to their word. The two were later arrested and pleaded guilty to hacking charges, and one testified for the prosecution in Sullivan’s trial.
The obstruction charge drew strength from the fact that Uber at the time was nearing the end of an FTC investigation following a major 2014 breach, which occurred before Sullivan joined the company.
While he directed the response to the two hackers, Sullivan kept many others at the company apprised, including a lawyer on Sullivan’s team, Craig Clark. Evidence showed that Sullivan told Uber’s then-CEO Kalanick and that Kalanick approved Sullivan’s strategy. The company’s chief privacy lawyer, who was overseeing the response to the FTC, was informed, and the head of the company’s communications team also had details.
Clark, the designated legal lead on breaches, was given immunity to testify against his former boss. On cross-examination, he acknowledged advising the team that the attack would not have to be disclosed if the hackers were identified, agreed to delete what they had taken and could convince the company that they had not spread the data further, all of which eventually came to pass.
Prosecutors were left to challenge “whether Joe Sullivan could have possibly believed that,” as one of them put it in closing arguments.
After Kalanick was forced out of the company for unrelated scandals, his successor, Dara Khosrowshahi, came in and learned of the breach. Sullivan described it as a routine bug bounty payout, prosecutors said, editing from one email the amount of the payoff and the fact that the hackers had obtained unencrypted data, including phone numbers, on tens of millions of riders. After a later investigation turned up the full story, Khosrowshahi testified, he fired Sullivan for not telling him more, sooner.
Eager to show that it was operating in a new era, the company helped the U.S. attorney’s office build a case against Sullivan. And the prosecutors in turn unsuccessfully pressed Sullivan to implicate Kalanick, who would have been a far bigger prize but was not damned by the surviving written evidence, according to people familiar with the process.