Replace 05/05/23: Late on Thursday, federal choose William Orrick declared Uber’s former head of cybersecurity Joseph Sullivan would endure no jail time for protecting up a large safety breach on the ride-hailing firm seven years in the past. He’s as a substitute being placed on probation and should full 200 hours of group service.
Based on The Wall Road Journal, Orrick informed the courtroom he was exhibiting Sullivan leniency because of the uncommon nature of the case and it being the primary of its sort. He additionally introduced up Sullivan’s supposed character because of the mass quantity of letters exhibiting the ex-cyber safety official their help. The choose added that if extra cyber safety officers go the identical route as Sullivan, they might anticipate precise jail time.
Prosecutors beforehand argued for as much as a number of years in jail, however Sullivan’s attorneys pointed to the round 180 letters he acquired testifying to his prior work in cybersecurity. A kind of letters was signed by 40 former or present firm safety execs.
Authentic story:
Again in 2016, Uber suffered a safety breach ensuing within the leak of 57 million customers’ names, cellphone numbers, e mail addresses—together with the non-public data and even drivers’ licenses of 600,000 Uber drivers. As a substitute of publicly acknowledging the hack, Sullivan and some employees working for him paid the hackers roughly $100,000 to maintain the breach secret. The ransom, paid in bitcoin, got here from the corporate’s bug bounty program, although the corporate’s typical most for bug discovering is simply $10,000, and Uber didn’t make any point out of the breach to the general public. At the moment, the Federal Commerce Fee was already investigating the corporate over one other breach that occurred in 2014, earlier than Sullivan signed on as the brand new safety chief after leaving Fb (now Meta).
Based on the Wall Road Journal, Sullivan’s attorneys argued in courtroom that Sullivan made the hackers signal nondisclosure agreements exhibiting they destroyed all of the hacked information, although to this present day it’s unclear if it was confirmed the hacked information was ever actually deleted. Legal professionals for Sullivan argued that settlement was sufficient assurance to the corporate for them to categorise the incident as a mere bug bounty, as if the hackers have been simply white hats letting Uber know of its vulnerabilities fairly than stealing information.
After Uber’s present CEO Dara Khosrowshahi got here onto the scene, reporters uncovered the hack and coverup, and the corporate quickly fired Sullivan and ordered an inner investigation into him and Craig Clark, one of many legal professionals who reported to the previous CSO.
The ex-Uber exec was charged with obstruction of justice in 2020. A jury convicted Sullivan in October final 12 months of making an attempt to cover the safety breach. The courtroom discovered him responsible of obstruction and misprison of a felony for his work hiding the details of the safety breach from the FTC.
Federal choose for the Northern District of California William Orrick is about to condemn Sullivan someday after 1:30 p.m. PT, or 4:30 ET. Federal prosecutors have beneficial that the ex-Uber exec face between 24 and 30 months of jail time. The U.S. Attorneys additionally talked about fellow Uber government Anthony Levandowski, who beforehand pleaded responsible and was sentenced to 18 months for stealing commerce secrets and techniques from Google.
“If not for the fortuitous arrival of recent management at Uber, there’s each motive to imagine the tens of hundreds of thousands of victims of the 2016 Information Breach by no means would have realized about it,” prosecutors wrote of their sentencing memorandum.
Gizmodo reached out to Sullivan’s attorneys from the Angeli Legislation Group, however we didn’t instantly hear again. His legal professionals have argued in courtroom paperwork that any quantity of jail time can be “not needed” since he “has suffered, and can proceed to endure, vital penalties due to this case.” His attorneys additionally responded to the fed’s request for 2 years or extra of jail, asking the courtroom to keep in mind his devotion to his household and “staunch dedication to public service.”
The corporate has skilled main hacks, like in 2022 when the LAPSUS$ gang managed to entry the corporate’s inner community and Slack channel. The corporate was a lot faster to offer particulars on that breach than its earlier hacks. Uber has tried to repair its picture from being the information hungry mammoth it’s. Although the corporate has been extra prepared to point out customers what sort of information it has on customers, it nonetheless plans to make use of extra of shoppers’ information to conduct extra native promoting whereas in-app.
