back to article Ex-Uber CSO gets probation for covering up theft of data on millions of people

Joe Sullivan won't serve any serious time behind bars for his role in covering up Uber's 2016 computer security breach and trying to pass off a ransom payment as a bug bounty. A San Francisco judge on Thursday sentenced the app maker's now-former chief security officer to three years of probation plus 200 hours of community …

  1. aerogems Silver badge

    Kind of torn on this one. On the one hand, the fact that PII was exfiltrated should be taken very seriously. The sentence seems a bit light on this one. Though, at the same time, his being in prison isn't going to change anything for the people who had their PII compromised and at least he was charged and convicted. That alone is a big step forward for the US legal system where normally these sorts of crimes end with the company raiding the CEO's hookers and blow petty cash box to pay the fine and that's the end of it. I know... won't someone think of the executives!?

    The "bug bounty" bit... meh. I suppose it could technically be seen as some kind of market manipulation or other fraud, and while he should have known better, there's a very good chance he wasn't some rogue actor who took it upon themselves to take this action alone. It was likely cleared with others like the CFO and CEO. On that one, probation and community service seems on the light, but fair side. Probation isn't as easy as a lot of people think. You have to regularly check in with your PO, live by a bunch of arbitrary rules set by your PO, you can be in violation of your parole if you don't have a job and getting a job with a felony conviction can be difficult, plus it's often times ridiculously expensive. His community service should be having to work for some credit monitoring outfit or something that is largely related to what he was convicted of, not just picking up trash on the side of the road or something.

    1. steven_t

      Hookers and blow

      > That alone is a big step forward for the US legal system where normally these sorts of crimes end with the company raiding the CEO's hookers and blow petty cash box to pay the fine and that's the end of it.

      That's trickle-down economics in action. If there are fines, it is the poor hookers and dealers who suffer :-)

      > His community service should be having to work for some credit monitoring outfit or something that is largely related to what he was convicted of...

      Work that gives access to more personal data? I'm not sure the data subjects would approve of that, especially since most of them only have credit monitoring in the first place because their data was leaked by some careless company.

      1. aerogems Silver badge

        Re: Hookers and blow

        "That's trickle-down economics in action. If there are fines, it is the poor hookers and dealers who suffer :-)"

        OK, fine... Won't anyone think of the poor hookers and drug dealers!?

        "Work that gives access to more personal data?"

        He wasn't responsible for leaking the data, just bungling the attempted payoff to keep it quiet. So, ostensibly he still has some skills that could be useful in the security field.

        1. Someone Else Silver badge

          Re: Hookers and blow

          So, ostensibly he still has some skills that could be useful in the security field.

          Fine. Let him try to get a job in that field -- good luck wi' dat!

          Of course, the job search should begin after his probation period ends, and his 5 weeks of "community service" has been paid off.

    2. Pascal Monett Silver badge

      "having to work for some credit monitoring outfit"

      I would personally prefer that he not gain additional information on how to manipulate the situation in the future. He is now tainted with not only with cover-up, but with failure to cover up.

      Let him do work in an entirely different branch that has nothing to do with security.

    3. Doctor Syntax Silver badge

      The consequence of a light sentence is that it doesn't send an effective deterrent message to others in the same position.

      1. david 12 Silver badge

        If only that were true. However, decades of research and centuries of observation have shown that "severity of punishment" has no significant effect on crime. "Detection" has a significant effect on crime, Timelines have a significant effect on crime, and as the old joke goes "first you have to get their attention", but almost nobody commits crimes believing that they will be caught, so the difference between "overnight in jail", and "death penalty" is completely irrelevant.

  2. MachDiamond Silver badge

    I think we've spotted the problem

    There's very little downside to exposing people's PII so there's no point in putting much money and effort into it. Uber is still around and people still think of them first when they need a taxi (I exclude myself). If execs were likely to be spending time behind bars and relieved of their expense home, fancy cars and extensive wine cellars, maybe more care would be taken. The fines should be steep and that means the possibility of company ending steep. It would be too bad that rank and file employees would lose their jobs, but that's nothing in comparison to all of the people who's sensitive information is made public. I don't accept the preservation of a few hundred jobs being that important.

    1. doublelayer Silver badge

      Re: I think we've spotted the problem

      I agree that a harsher penalty is desirable, but I don't think destruction of the entire company should be the goal here. The people who committed the crime should suffer more than the rest of the company, and we should try to have a penalty that acts as a deterrent to committing the crime, not a deterrent to anything happening at all. That means that the people at fault get most or all of the penalty, and those who had nothing to do with it are spared.

      You may not care about this company, and I'm not that bothered about them either, but would you feel the same if some executive of a company you appreciate did something similar? It's not unusual for people with power to do something unethical that results in legal charges, but do you want that to mean that the rest of the work done by the company gets hammered down, even when that work was likely unrelated to the crime? My guess is that you're trying to prevent the cases where an executive commits a crime and the company gets a tiny fine which doesn't change their practices, and I think we can more easily deal with that by punishing the people who broke the law personally rather than by punishing the company, whose bills the executives won't be paying, and letting the responsible parties off easy.

      1. M.V. Lipvig Silver badge

        Re: I think we've spotted the problem

        C-Suite serves time on a chain gang, and is banned from running a company. Anything else, including jailing the ones actually responsible, will do no more than a fine will. Joe Blow, CEO, will not only not care if his best friend whom he made director of IT goes to prison, he won't even remember his former ex-best friend's name. On the other hand, if Joe Blow himself is the one who stands a chance of weilding the sledge hammer in the rock quarry, then sufficient money will be made available to prevent a break-in to begin with.

        You have to hit CEOs where it hurts, and that means them personally - they won't even care if their own wife is the one that swings. With enough money they can get a younger model who was never told what the phrase "no, I'm never doing that, you pervert" means.

  3. very angry man

    in what country?

    "Corporate leaders are called upon to do the right thing even when it is embarrassing, even when it is bad for the company's bottom line," they said [PDF]. "Nobody, neither corporations nor the executives who lead them, is above the law."

    1. Anonymous Coward
      Anonymous Coward

      Re: in what country?

      In my head I hear Borat introducing this chap, and his mate Travis, in his inimitable style.

  4. Anonymous Coward
    Anonymous Coward

    Motivation…

    Deception = Premeditated

    What we have to remember, is that execs are sometimes employed for these exact qualities :-/

    1. Anonymous Coward
      Anonymous Coward

      Re: Motivation…

      I don't think it necessarily was pre-meditated.

      It sounds to me like the CSO tried to take the neatest solution. The primary responsibility of an executive is to the business and the shareholders. As scummy as his decision was, he acted exactly in line with what woud be expected of an executive. Which is unfortunate but is the way business goes in the USA it seems.

  5. Anonymous Coward
    Anonymous Coward

    USA Justice the best money can BUY

    What’s left to say about rich people NOT being held to the same standards as everyday folk.

    Money talks and greases the wheels just look at the USA Supreme Court

    Katching $$$$$$

  6. Claptrap314 Silver badge
    Flame

    We should publically

    state that we are going to be watching the judge's lifestyle very carefully for the next several years.

    You need to be a special kind of idiot to be involved in law enforcement on the one hand and be clueless about the societal effects of bad security on the other.

    This man is a multiple felon. I'm not saying that he should get the maximum, but probation?

  7. John Savard

    The Real Excess Leniency

    It's those who are truly culpable, who freely chose to break the law, that need to be punished. But the CEO of the company at the time hasn't even been charged. So I'm not upset at the leniency granted to someone who no doubt was acting under threat.

  8. CowHorseFrog Silver badge

    Must be a strange world where the only people that make the news are those w/ three letter self provided titles.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like