U.S. District Judge William Orrick sentenced Sullivan to three years probation, noting his significant past work protecting people from the type of crime he later covered up. He also said Sullivan’s measures were successful in preventing the stolen data from being exposed.
Orrick said he believed former Uber chief executive Travis Kalanick was also responsible for what he considered a serious breach, and he wondered aloud why Kalanick hadn’t been held accountable. charged. The judge also said he was swayed by the unprecedented nature of the case, warning that future offenders would be jailed, even if they were the pope.
Sullivan’s conviction shocked many security professionals, many of whom viewed Sullivan, a former federal cybercrime prosecutor, as an industry leader who also worked in the public interest as a senior security officer at Facebook. , Uber and Cloudflare.
They also criticized the government for criminalizing questionable judgments by paying extortionists as the practice has become common in US businesses affected by ransomware. The FBI said it will not pursue prosecution of those who approve payments that do not go to gangs under sanctions for working in concert with Russian authorities or targeting critical infrastructure.
More than 180 letters have been filed with the judge praising Sullivan and asking that he be spared jail time to continue helping defenders and victims of security breaches. One of the letters was signed by 40 current or former chief security officers or information security officers.
But prosecutors asked for 15 months in jail, arguing that so many people rallied to support Sullivan because he was wealthy and well-connected, and that justice demanded that those defendants be treated the same as poor outcasts.
Sullivan “has an unblemished history. He is respected in his community. He is an innovator in his field,” the U.S. Attorney’s Office in San Francisco wrote in a sentencing memo. “But, when given the opportunity to choose between himself and the rule of law, he chose himself. Worse than that, Defendant Sullivan prioritized his interests and those of Uber over those of the tens of millions of Uber users and riders who entrusted their personal information to the company. »
Both sides said their preferred outcome would help strengthen cooperation between U.S. officials and private security efforts, a priority for the Biden administration as criminal hacking becomes more sophisticated and more closely tied to the interests of foreign governments.
Kiersten Todt, who recently resigned as chief of staff at the Federal Agency for Cybersecurity and Infrastructure Security, wrote to the judge that senior leaders had warned her that the verdict “would make it impossible to recruit smart people in CISO and CSO roles if imprisonment is on the table – and will set the industry back.
From the bench, Orrick said letters in which other security officials said they too feared prosecution showed the perpetrators did not understand the facts of the case. He said Sullivan deliberately misled the government, causing real harm to the FTC and the public.
Speaking briefly and emotionally before the judge delivered sentence, Sullivan took responsibility and apologized for hurting family, friends and the “noble profession” of cybersecurity.
“I was a bad role model,” Sullivan said hesitantly. “We’re here to be the customer’s champion, and I failed in that case.”
Citing the letters in their own memo, Sullivan’s attorneys recounted many good deeds, such as founding eBay’s Trust and Safety team and a Facebook child safety effort that his successor, Alex Stamos, attributed three-quarters of all notifications to the National. Center for Missing and Exploited Children in 2021.
“It’s not unreasonable to say that Joe and the handful of other executives who tackled this issue in these early days are probably responsible for more global child sexual exploitation prosecutions than virtually anyone else. alive,” wrote Stamos, now director of the Stanford Internet Observatory.
The criminal case against Sullivan began when a hacker sent an anonymous email to Uber and described a security flaw that allowed him and a partner to download data from one enterprise Amazon repositories.
It emerged that they had used a lost digital key that Uber had left exposed to gain access to the Amazon account, where they found and extracted an unencrypted backup of the data of more than 50 million Uber passengers and 600,000 drivers.
Sullivan’s team referred them to Uber’s bounty program and noted that the highest payout was $10,000. The hackers said they would need six digits and threatened to leak the data.
The negotiation ended with a payment of $100,000 and a promise from the hackers that they had destroyed the data and would not disclose what they had done. While prosecutors called it a cover-up, testimonies showed that Sullivan’s staff used the process to obtain clues that would lead them to the perpetrators’ true identities, which they believe was necessary leverage to hold them to account. their word. Both were later arrested and pleaded guilty to hacking charges, and one testified for the prosecution at Sullivan’s trial.
The obstruction charge was based on the fact that Uber was nearing the end of an FTC investigation at the time into a major 2014 breach, which occurred before Sullivan join the company.
While leading the response to the two hackers, Sullivan kept many other company employees informed, including an attorney on Sullivan’s team, Craig Clark. Evidence showed that Sullivan told Kalanick, the CEO of Uber at the time, and that Kalanick approved of Sullivan’s strategy. The company’s chief privacy attorney, who was overseeing the response to the FTC, was briefed, and the head of the company’s communications team also had details.
Clark, the named legal officer for the offenses, was granted immunity to testify against his former boss. During cross-examination, he admitted to having informed the team that the attack would not have to be disclosed if the hackers were identified, agreed to delete what they had taken and was able to convince the company that they hadn’t released the data further, which eventually happened.
Prosecutors had to dispute “whether Joe Sullivan could have believed that,” as one put it in his closing argument. In his remarks Thursday, Sullivan said he should have gotten outside legal advice instead of being relieved to get inside coverage to avoid disclosure.
After Kalanick was forced out of the company over unrelated scandals, his successor, Dara Khosrowshahi, came in and learned of the breach. Sullivan described it as a routine bug bounty payment, prosecutors said, editing from an email the payment amount and the fact the hackers obtained unencrypted data, including numbers phone, on tens of millions of runners. After a subsequent investigation revealed the full story, Khosrowshahi testified, he fired Sullivan for not telling him more, sooner.
Eager to show it was operating in a new era, the company helped the U.S. Attorney’s Office build a case against Sullivan. And prosecutors in turn unsuccessfully pressed Sullivan to implicate Kalanick, who would have been a far bigger prize but was not damned by the surviving written evidence, according to people familiar with the process.