Risky Business
By Ken Showers, Managing Editor
Updated 3:14 AM CDT, Wed September 7, 2022
One of the big cybersecurity stories this week, for those tuned in on that frequency, is the trial of former Uber CISO Joe Sullivan. He’s a big name in that corner of the industry brought low by a lawsuit resulting from the cover up of a data breach. This is important because it may be the first time a corporate executive faces criminal liability from a data breach and every other CISO is likely watching this case sweating bullets.
Whether they should be or not is another matter.
The long and short of the story is that in 2016 a pair of hackers gained access to data of some 600,000 drivers and personal information of over 57 million drivers and riders. Sullivan’s crime is not for the data breach itself of course, that’s not his fault, but his response was to point the men trying to extort the company to their bug bounty program (designed to encourage a more amiable solution to discovered security vulnerabilities). Ultimately Uber paid the hackers $100k in bitcoin and, here’s the problem, failed to disclose the breach to the public.
Now it’s hard to say from that if Sullivan is liable. If it was his decision to keep the breach private, then legally things look grim for the former cybersecurity trailblazer. Certainly, other CISOs have rallied around the cause because they’re terrified that they’ll be next. Others have accused them of being tribal.
They are of course, and they’ll find little support for their viewpoint from the millions who had their data stolen and the act swept under the rug. The thing is, they also say that Sullivan is just a scapegoat in this whole fiasco, and they might be right about that. It’s incredibly unlikely Uber was unaware of a cool $200k in crypto getting billed on the company card and even more likely that they’d order everything hushed up.
Don’t expect sudden transparency to be in fashion following this trial either. In a data breach affecting Samsung last week the company noted that while the amount of relevant data affected varied by customer, they assured everyone that social security numbers and credit & debit card information weren’t affected. It’s a little like trying to believe that the dog ate your homework though. Only time and investigation are going to put anyone’s mind at ease.
What the trial is ultimately about is whether the sins of a whole company can be laid at the feet of one person, and if so then the already stressful job of being a CISO is about to be some risky business. It will be a bad outcome for everyone involved.
Except for the hackers, they made two-hundred grand in bitcoin. Depending on price at the time and inflation that could be as much as $10 million now.
Comments