Former Uber Security Chief Avoids Jail Time for Data Breach Scandal, Gets Probation Joseph Sullivan was charged with obstruction of justice in 2020 and found guilty in October.
By Madeline Garfinkle Edited by Jessica Thomas
Opinions expressed by Entrepreneur contributors are their own.
Joseph Sullivan, former security chief for Uber, was sentenced to three years probation and 200 hours of community service for crimes related to a data breach scandal seven years ago.
In 2016, two hackers accessed the personal data of nearly 57 million Uber users and drivers. After emailing Sullivan about the security breach, the hackers demanded $100,000 for their silence — which Sullivan paid in Bitcoin from the company's bug bounty program.
Related: Uber Got Hacked and Paid the Hackers to Keep It Secret
"The criminal complaint alleges that Sullivan took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the breach," the U.S. Attorney's Office for the Northern District of California wrote in a 2020 press release after Sullivan was charged with obstruction of justice. Sullivan was ultimately found guilty in October.
Prior to the sentencing on Thursday, federal prosecutors recommended between 24 to 30 months of jail time for Sullivan. However, San Francisco district judge William Orrick granted Sullivan leniency due to the "unusual nature" of the case, Sullivan's character and that the crime was the first of its kind, The Wall Street Journal reported. However, Orrick noted that future offenders shouldn't expect as much grace.
"If there are more, people should expect to spend time in custody, regardless of anything, and I hope everybody here recognizes that," he said, per the WSJ.
Orrick was also encouraged not to sentence Sullivan to prison in a letter signed by nearly 50 former and current chief security officers from companies including Netflix, Blackstone and the U.S. government.
The individuals argued that the position requires making "nuanced judgment calls in a largely unregulated environment, which has few explicit rules and regulations, including rules about disclosing data security incidents to the government," the letter stated, per Bloomberg.
Related: 8 Ways a Data Breach Could Take Out Your Company Tomorrow