Uber’s former chief security officer escaped jail time and was sentenced to three years probation for lying to authorities about a cyber-attack.

Joseph Sullivan was convicted of paying hackers $100,000 (£79,000) after they acquired access to 57 million Uber user details, including names and phone numbers.

He must also pay a $50,000 fine and perform 200 hours of community service.

Prosecutors had requested a 15-month prison term.

Sullivan was also found guilty of impeding a Federal Trade Commission probe.

According to the Wall Street Journal, judge William Orrick stated that he was lenient on Sullivan not just because this was the first case of its kind, but also because of his character.

“If there are more, people should expect to spend time in custody, regardless of anything,” he continued, “and I hope everyone here recognizes that.”

The breach
In 2015, Sullivan was appointed as Uber’s chief security officer.

According to the US Department of Justice (DOJ), the attackers who targeted Uber wrote Sullivan in November 2016 and informed him they had stolen a substantial amount of data that they would destroy in exchange for a ransom.

Sullivan employees confirmed that data, including information of 57 million Uber customers and 600,000 driver license numbers, had been stolen.

Sullivan, according to the DOJ, arranged for the hackers to be paid $100,000 in exchange for signing non-disclosure agreements promising not to expose the hack to anybody.

The hackers were paid in December 2016 under the pretense of a “bug bounty” – an incentive given to cyber-security researchers who disclose flaws so that they might be patched.

In 2019, the hackers were charged with conspiracy and pleaded guilty.