Joe Sullivan, the former Chief Security Officer (CSO) of Uber, has been sentenced to three years’ imprisonment and 200 hours of community service for covering up a cyber attack on the company’s servers in 2016, which led to a data breach affecting over 50 million riders and drivers.
This is believed to be the first case in the history of cyber attacks where a CSO has faced criminal charges and imprisonment for covering up a data breach and obstructing a federal investigation.
The attack was severe, and the company’s CSO reportedly paid $100,000 to the hackers to prevent them from releasing the siphoned details and keeping the breach a secret. Surprisingly, the payment was routed to the cybercriminals through Uber’s bug bounty program and was uncovered in 2017 when the new CEO, Dara Khosrowshahi, took the helm.
Sullivan’s decision to conceal the data breach was in violation of federal and business laws, resulting in his termination from the position of CSO almost five years ago. He later joined CloudFlare and retained the same position until July 2022, after which he submitted his resignation to prepare for the trial, which started in October 2022.
NOTE: A few months ago, the White House endorsed a law presented by Congress to penalize companies that do not disclose data breaches promptly. The law also allows for the punishment of company heads and those holding the positions of CSOs and CISOs if the company is found guilty of failing to protect the information of its customers and clients.