A U.S. appeals court has upheld the sentence of former Uber cybersecurity chief Joe Sullivan, who received three years of probation for covering up a massive data breach involving 57 million customers and 600,000 of the company’s drivers in 2016.
Sullivan sought to appeal the ruling, arguing that he was wrongly denied two key arguments during his trial. However, judges on the Ninth Circuit Court of Appeals unanimously rejected his appeal, stressing the importance of transparency in cybersecurity matters, especially when they are the subject of a federal investigation.
In 2016, Sullivan paid hackers $100,000 through a Bug Bounty program, forcing them to sign nondisclosure agreements. He also failed to notify the Federal Trade Commission (FTC) of the breach, even though Uber was required to do so after a previous data breach in 2014. U.S. prosecutors have charged him with knowingly concealing information and misleading regulators.
Joe Sullivan is a former federal prosecutor who worked in cybersecurity at Uber, Facebook and other major companies. His conviction is the first in the United States to have a security chief prosecuted for covering up a breach.
The court rejected the defense’s argument that the NDA legalized the hackers’ actions. In her ruling, Judge M. Margaret McKeon said Sullivan knew their actions were illegal, referring to them as “unauthorized intruders” even a year after the incident.
Despite the fact that federal prosecutors demanded 15 months in prison, the court limited itself to a suspended sentence, a $ 50,000 fine and community service.
78 
96 
97 