U.S. District Choose William Orrick sentenced Sullivan to a few years of probation, noting his vital previous work in defending individuals from the kind of crime he later hid. He additionally stated that Sullivan’s steps had succeeded in maintaining the stolen knowledge from being uncovered.
Orrick stated he felt former Uber chief government Travis Kalanick was equally liable for what he thought of a critical offense, and he puzzled aloud why Kalanick had not been charged. The choose additionally stated he was influenced by the unprecedented nature of the case, warning that future offenders could be jailed, even when they had been the pope.
Sullivan’s conviction had shocked many safety professionals, lots of whom noticed Sullivan, a onetime federal cybercrime prosecutor, as an trade chief who additionally labored within the public curiosity as the highest safety government at Fb, Uber and Cloudflare.
In addition they criticized the federal government for criminalizing questionable judgment in paying off extortionists when the observe has change into an everyday incidence at U.S. firms hit by ransomware. The FBI has stated it is not going to pursue costs in opposition to those that approve payouts that don’t go to gangs beneath sanctions for working in live performance with Russian authorities or focusing on important infrastructure.
Greater than 180 letters had been filed with the choose praising Sullivan and asking that he be spared jail time to proceed serving to defenders and victims of safety failures. One of many letters was signed by 40 present or former chief safety or chief data safety officers.
However prosecutors sought 15 months in jail, arguing that so many individuals rallied to assist Sullivan as a result of he was rich and well-connected, and that justice required such defendants be handled the identical means as poor outcasts.
Sullivan “has a spotless historical past. He’s revered in his group. He’s an innovator in his discipline,” the U.S. lawyer’s workplace in San Francisco wrote in a sentencing memo. “However, when given the chance to decide on between himself and adherence to the legislation, he selected himself. Worse than that, Defendant Sullivan prioritized his and Uber’s pursuits over these of the tens of hundreds of thousands of Uber customers and riders who trusted their private data to the corporate.”
Either side stated their favored end result would assist solidify cooperation between U.S. officers and personal safety efforts, a precedence for the Biden administration as felony hacking will get extra refined and extra intertwined with international authorities pursuits.
Kiersten Todt, who not too long ago stepped down as chief of workers on the federal Cybersecurity and Infrastructure Safety Company, wrote to the choose that high executives had warned her that the decision would “make it not possible to recruit good individuals into the roles of CISOs and CSOs if imprisonment is on the desk — and can set the trade again.”
From the bench, Orrick stated that letters by which different safety executives stated they too feared prosecution confirmed that the writers didn’t perceive the info of the case. He stated Sullivan intentionally deceived the federal government, inflicting actual hurt to the FTC and the general public.
Talking briefly and emotionally earlier than the choose pronounced the sentence, Sullivan took accountability and apologized for hurting his household, buddies and the “noble occupation” of cybersecurity.
“I used to be a nasty position mannequin,” Sullivan stated in a halting voice. “We’re there to be the champion of the shopper, and I failed on this case.”
Citing the letters in their very own memo, Sullivan’s attorneys recounted quite a few good deeds, similar to establishing eBay’s belief and security staff and a Fb child-safety effort that his successor there, Alex Stamos, credited with delivering three-fourths of all notifications to the Nationwide Middle for Lacking and Exploited Youngsters in 2021.
“It’s not unreasonable to say that Joe and the handful of different executives who tackled this drawback in these early days are seemingly liable for extra world prosecutions of kid sexual exploitation than just about another dwelling individuals,” wrote Stamos, now director of the Stanford Web Observatory.
The felony case in opposition to Sullivan began when a hacker emailed Uber anonymously and described a safety lapse that allowed him and a accomplice to obtain knowledge from one of many firm’s Amazon repositories.
It emerged that that they had used a stray digital key Uber had left uncovered to get into the Amazon account, the place they discovered and extracted an unencrypted backup of knowledge on greater than 50 million Uber riders and 600,000 drivers.
Sullivan’s staff steered them towards Uber’s bounty program and famous that the highest payout beneath it was $10,000. The hackers stated they would wish six figures and threatened to launch the info.
Negotiation ended with a $100,000 cost and a promise from the hackers that that they had destroyed the info and wouldn’t disclose what that they had performed. Whereas prosecutors referred to as it a coverup, testimony confirmed that Sullivan’s workers used the method to get clues that might cause them to the actual identities of the perpetrators, which they felt was vital leverage to carry them to their phrase. The 2 had been later arrested and pleaded responsible to hacking costs, and one testified for the prosecution in Sullivan’s trial.
The obstruction cost drew energy from the truth that Uber on the time was nearing the top of an FTC investigation following a significant 2014 breach, which occurred earlier than Sullivan joined the corporate.
Whereas he directed the response to the 2 hackers, Sullivan stored many others on the firm apprised, together with a lawyer on Sullivan’s staff, Craig Clark. Proof confirmed that Sullivan informed Kalanick, Uber’s CEO on the time, and that Kalanick authorized Sullivan’s technique. The corporate’s chief privateness lawyer, who was overseeing the response to the FTC, was knowledgeable, and the top of the corporate’s communications staff additionally had particulars.
Clark, the designated authorized lead on breaches, was given immunity to testify in opposition to his former boss. On cross-examination, he acknowledged advising the staff that the assault wouldn’t must be disclosed if the hackers had been recognized, agreed to delete what that they had taken and will persuade the corporate that that they had not unfold the info additional, all of which finally got here to go.
Prosecutors had been left to problem “whether or not Joe Sullivan may have probably believed that,” as certainly one of them put it in closing arguments. In his remarks Thursday, Sullivan stated he ought to have gotten an out of doors authorized opinion as an alternative of being relieved at getting inside cowl to keep away from disclosure.
After Kalanick was compelled out of the corporate for unrelated scandals, his successor, Dara Khosrowshahi, got here in and realized of the breach. Sullivan described it as a routine bug bounty payout, prosecutors stated, modifying from one e-mail the quantity of the payoff and the truth that the hackers had obtained unencrypted knowledge, together with telephone numbers, on tens of hundreds of thousands of riders. After a later investigation turned up the total story, Khosrowshahi testified, he fired Sullivan for not telling him extra, sooner.
Keen to indicate that it was working in a brand new period, the corporate helped the U.S. lawyer’s workplace construct a case in opposition to Sullivan. And the prosecutors in flip unsuccessfully pressed Sullivan to implicate Kalanick, who would have been a far larger prize however was not damned by the surviving written proof, in keeping with individuals accustomed to the method.