A federal district court judge sentenced Joseph Sullivan, former chief security officer at Uber, to three years probation after he was convicted of concealing a 2016 ransomware attack against the company while the ride sharing firm was under investigation by the Federal Trade Commission.
Sullivan will also have to complete 200 hours of community service and pay a $50,000 fine.
Sullivan was convicted in October of obstructing the FTC probe and misprision of a felony, which is essentially failure to report the crime to authorities.
The FTC, in a pre-sentencing letter to the court, said Sullivan’s actions caused the agency to waste significant resources to reopen the investigation due to his failure to properly disclose the attack.
“This case wasn’t about an executive who made an innocent mistake. Mr. Sullivan was convicted of deliberately concealing important information from the FTC that was relevant to an ongoing investigation,” an FTC spokesperson said via email. “We’re pleased to see he has been held accountable for this unlawful behavior.”
The company reached a non-prosecution deal with federal authorities prior to Sullivan’s October conviction.
The attack sent shockwaves throughout the cybersecurity community and much of the legal community, as companies have historically failed to report the majority of ransomware attacks to federal law enforcement or regulators.
Sullivan arranged to pay off the hackers in the ransomware attack, while having them sign nondisclosure agreements to keep terms of the payoff a secret.