³ÉÈËÂÛ̳

Ex-Uber security chief sentenced over covering up hack

  • Published
Uber written on side of carImage source, Getty Images

Uber's former chief security officer has avoided jail and been sentenced to three years' probation for covering up a cyber-attack from authorities.

Joseph Sullivan was found guilty of paying hackers $100,000 (£79,000) after they gained access to 57 million records of Uber customers, including names and phone numbers.

He must also pay a fine of $50,000, and serve 200 hours of community service.

Prosecutors originally asked for a 15-month prison sentence.

Sullivan was also found guilty of obstructing an investigation from the Federal Trade Commission.

judge William Orrick said he was showing Sullivan leniency partly because this was the first case of its kind, but also because of his character.

"If there are more, people should expect to spend time in custody, regardless of anything, and I hope everybody here recognises that," he said.

The hack

Sullivan began his role as Uber's chief security officer in 2015.

In November 2016, the attackers who targeted Uber emailed Sullivan and told him they had stolen a large amount of data, which they would delete in return for a ransom, according to the US Department of Justice (DOJ).

Staff working for Sullivan confirmed data, including records of 57 million Uber users and 600,000 driving licence numbers, had been stolen.

According to the DOJ, Sullivan arranged for the hackers to be paid $100,000 in exchange for them signing non-disclosure agreements to not reveal the hack to anyone.

The hackers were paid in December 2016, disguised as a "bug bounty" - a reward used to pay cyber-security researchers who disclose vulnerabilities so they can be fixed.

The hackers subsequently faced conspiracy charges in 2019 and pleaded guilty.