A judge sentenced Joe Sullivan, the former chief security officer at Uber, to three years’ probation and 200 hours of community service on Thursday for covering up a 2016 cyberattack from authorities and obstructing a federal investigation. From a report: Sullivan’s case is likely the first time a security executive has faced criminal charges for mishandling a data breach, and the response to Sullivan’s case has split the cybersecurity community. In October, a jury found Sullivan guilty of obstructing an active FTC investigation into Uber’s security practices and concealing a 2016 data breach that affected 50 million riders and drivers. Uber paid the hackers $100,000 to not release any stolen data and keep the attack quiet. Sullivan and his team routed the payment through the company’s bug bounty program, which good-faith security researchers usually use to report flaws. The hack wasn’t publicly disclosed until 2017, shortly after Dara Khosrowshahi stepped into the CEO role.

Khosrowshahi fired Sullivan in 2017, telling the jury last fall that he thought the decision to conceal the breach was “the wrong decision.” Sullivan then joined Cloudflare as its chief security officer in 2018, and he stayed there until July 2022 when he stepped down to prepare for his trial. “If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison,” Judge William Orrick said during the sentencing on Thursday. “When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off,” Orrick added.

Read more of this story at Slashdot.

Source: Slashdot – Ex-Uber Security Chief Gets Probation for Concealing 2016 Data Breach