Uber's ex-exec is sentenced for covering up a 2016 data breach

Uber got hacked big time in 2016.

Uber's ex-exec is sentenced for covering up a 2016 data breach
The logo of Uber is seen at a temporary showroom at the Promenade road during the World Economic Forum (WEF) 2023, in the Alpine resort of Davos, Switzerland, January 20, 2023. Reuters/Arnd Wiegmann/File Photo

The backstory: Uber got hacked big time in 2016. So, here's what happened – two hackers broke into an Uber engineer's site, and from there, they got logins to access a ton of data on an Amazon Web Services account handling tasks for Uber. You know, stuff like personal info on drivers and riders. Then, these hackers emailed Uber's head of security, Joe Sullivan, and told him they snagged over 57 million Uber user records, including around 600,000 driver's license numbers. Instead of owning up to the attack, Sullivan paid them US$100,000 to keep it hush-hush and delete the info. He passed the ransom payment off as a "bug bounty," which is a reward that companies pay to cyber-security researchers for pointing out security flaws so they can be fixed.

More recently: Uber CEO Dara Khosrowshahi eventually had to come clean about this massive data breach in 2017, and it cost the company a massive US$148 million to settle all the legal claims from the mess. Because of the coverup, Sullivan was canned that same year. But it doesn't end there. He was also convicted last year for hiding the hack from US authorities. Sullivan denied the charges, and his lawyers argued that the identities of the hackers were only found out because of Sullivan's decision. The two hackers were later identified and convicted of the crime.

The development: Now, Sullivan just got sentenced for his involvement in the coverup, but it's not the kind of punishment you might expect. Instead of going to jail, he got three years of probation, a US$50,000 fine, and 200 hours of community service. He was also found guilty of obstructing the Federal Trade Commission's investigation. The prosecutors wanted him in prison for 15 months, but the judge reportedly let him off easy since it's the first case like this and because Sullivan has a decent character. But the judge warned anyone else who tries to pull a similar stunt that they won't get off so easy in the future.

Key comments:

"We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers," said US attorney Stephanie Hinds.

"If there are more, people should expect to spend time in custody, regardless of anything, and I hope everybody here recognizes that," said Judge William Orrick.

"Silicon Valley is not the Wild West," said US lawyer David Anderson in 2020. "We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect co-operation with our investigations. We will not tolerate corporate cover-ups."

"Mr. Sullivan's sole focus, in this incident and throughout his distinguished career, has been ensuring the safety of people's personal data on the internet," said David Angeli, Sullivan's lawyer after Sullivan's conviction last year, according to the Washington Post.