Uber has been in news for several data breaches that it has endured over the years since 2014. However, something different has happened this time, not only for Uber, but for the whole of the cybersecurity industry.

Joe Sullivan, a former Chief Security Officer (CSO) of Uber was charged with obstruction of proceedings of Federal Trade Commission (FTC) and misprision of felony and was convicted by a San Francisco Federal Court on 5th October 2022.

He faces a prison sentence of 8 years, which is the maximum for these two charges, in connection with his attempted cover-up of a massive data breach that took place in November 2016 involving theft of 57 million records involving Uber drivers’ and customers’ personal information.

It is alleged that Joe Sullivan tried to cover up the breach under Uber’s bug bounty program with HackerOne, by offering $100,000 ransom to hackers as a bug bounty under a non-disclosure agreement and with the assurance that they will delete the compromised data.

The breach was only made public one year later when the Uber’s new CEO, Dara Khosrowshahi, issued a statement about the breach in November 2017. The CEO mentioned in his statement that two of the individuals who led the response to this incident were no longer with the company.

Those who are close to Joe Sullivan say that he is a well-respected CISO with a distinguished track record working as US attorney and holding executive level positions with large and reputed firms including eBay, Paypal, Facebook, Uber and Cloudflare.

It is worth pointing out that only the CISO has been charged in this case, whereas all the other business executives have come out unharmed. There are evidences reported in the news that how Sullivan briefed the then Uber CEO, Travis Kalanick, of the breach, and another one reporting how Sullivan and his security team collaborated closely with legal, communications and other teams within the company as per company’s written policies.

What is evident from the actions taken at the time of breach in November 2016 is that —

1. Hackers were paid a ransom of $100,000 in bitcoins

2. Hackers were later identified in January 2017 and were made to sign a non-disclosure agreement by Uber

Contrary to what has been published, it is evident that these activities may not have been undertaken by the CISO in isolation without any knowledge to anyone else within the organisation. As per some of the news articles, there was involvement from Uber’s executive committee along with legal and communications teams in the handling of this breach. Not to mention that the CISO did all the right things by informing the executive committee and by seeking advice from the legal team as per company’s written policies.

A question arises that how the accountability did not lie with any of the other executive committee members, and how anyone else from the executive committee was not charged? It appears, unfortunately the CISO has been used as a ‘scapegoat’ in this case.

This case highlights many implications for the cybersecurity industry.

Until now, CISOs would generally get fired from their job upon a data breach or for mishandling of this, however, this is the first time a CISO has been convicted of criminal charges for their mishandling of a data breach.

This raises concerns amongst cybersecurity professionals and the questions that are being asked at the moment —

1. Can CISO’s or other security professionals be held responsible and be personally liable for data breaches or the handling of these inappropriately?

2. Are we going to see mass CISO resignations if the CISOs are not ready for the new regime yet, or until they have further clarity on protections that may be offered to them?

3. How will the role of a CISO evolve? Is this case going to help to raise the profile of a CISO (‘Chief’ ISO) in a true ‘executive’ sense within the organisation?

4. The CISO job is tough as it is, now the role will also come with an added baggage of personal liability. Will this reflect in CISO’s compensation package, along with additional legal protection and indemnities?

5. The CISO role has been very broadly defined based on the size of the organisation they are working for. Is this going to affect how the CISO role is defined in the future along with accountabilities?

6. If a CISO can be used as a ‘scapegoat’ as apparently be the case here, will the CISOs put their own interests before their employer’s, i.e. CISO’s becoming more risk averse, potentially adversely impacting an organisation’s growth and progression?

Information security is about risk management, and for the business to remain viable, it is not possible to eliminate the risk from the equation completely. Knowing which risks to treat and which ones to accept in the complex technology world is no easy feat, and a slight error may result in a data breach.

We are really treading on a very thin line making a fine balance between business value proposition and information security. However, cases like this are only going to make security teams’ job harder and may result in an increased friction between the business and the cybersecurity team.

Breaches have happened in the past and breaches will happen again in the future, however, the whole ball game has changed with personal liability and prison sentence on the cards moving forward.

We really have to see how the security industry evolves out of this case!

Related Discussions

October 5, 2022: The Day the Role of the CISO Changed Forever - BSW #280
*In the leadership and communications section, The CISO of Tomorrow Is Stepping Into the Business Spotlight, Why a…*www.scmagazine.com