Former Uber security chief Joe Sullivan has been found guilty by a jury over his role in covering up a massive data breach suffered by the ride sharing giant in 2016.
Sullivan was found guilty of obstructing an FTC investigation of a 2014 data breach at Uber, and deliberately hiding a felony from authorities, charges for which he faces up to eight years in prison. Sentencing will be set at a later date.
Sullivan served as Uber’s CSO between April 2015 and November 2017. In 2016, the company suffered a breach, with hackers stealing the information of over 50 million users and drivers. The attackers extorted Uber and were paid $100,000 through the company’s bug bounty program. They were allegedly instructed by Sullivan to sign non-disclosure agreements falsely claiming that no data had been stolen.
The full impact of the incident came to light one year later, after Uber appointed a new CEO. Sullivan was fired after it was revealed that he had hidden the full extent of the breach from Uber’s new management.
The attackers, later identified as two individuals from Florida and Canada, pleaded guilty in 2019, and they appear to have been instrumental in the case against Sullivan.
Industry professionals have commented on the outcome of the case and its implications for CISOs. Some of them have shared thoughts on whether mandatory breach notification requirements, such as the ones proposed by the SEC, would make a difference in situations like this.
And the feedback begins…
Avishai Avivi, CISO, SafeBreach:
“The role and responsibility of the Chief Information Security Officer (CISO) are evolving. The conviction of Uber’s CISO, Joe Sullivan, came to some as an unwelcome surprise and others as a justified consequence of Mr. Sullivan’s actions. I respect Mr. Sullivan’s long and distinguished career, and at the same time, I fully support the verdict. Mr. Sullivan found himself in an ethical dilemma that most CISOs find themselves in sooner or later in their career.
When a breach occurs, the CISO’s responsibility is clear – be transparent and provide all the necessary disclosures. Sometimes these disclosures are mandated by regulatory bodies, and sometimes they are just considered a responsible disclosure by the company to its constituents, even if there is no mandate or regulation requiring it. That said, depending on the reporting structure within the company, the CISO may not have the final say about whether the company will actually disclose the breach.
The CISO’s ethical dilemma is – do I maintain the integrity of my role and follow my responsibility? Or do I try and reframe the incident so that my company does not bear the consequences?
I don’t know whether Mr. Sullivan was pressured to ‘reframe’ the breach as something more benign. Ultimately that is what he chose to do. I want to think that if I were in his shoes, I would be willing to resign my position rather than betray the integrity of my role and, frankly, the trust of my constituents. I cannot speak to what Mr. Sullivan’s frame of mind was, and the ultimate fact is that he chose to obstruct justice. With that in mind, the verdict is just. I know several CISOs that are now reevaluating how they will conduct themselves in case of a breach. With that said, I do hope that the FTC and the San Francisco U.S. Attorney try to determine if Mr. Sullivan was indeed pressured to do what he did and bring similar accountability to those responsible for that pressure.”
Sounil Yu, CISO, JupiterOne:
“This case has set a terrible precedent that creates confusion around who should take liability for decisions during an incident response event. In this particular case, it was clear that Joe Sullivan coordinated his actions with the blessing of executive management, yet Joe was the one that ended up holding the bag. This is like court martialing a soldier but letting their commanding officer who gave the order go scot free.
We CISOs will need to closely review our incident reporting policies (perhaps with our own personal attorney) to ensure that it is clear how and when liability for certain decisions are transferred to the firm or to other identified executives. Until there is greater clarity on who owns the liability, the net effect may be that CISOs will push to report more than the executive management may be comfortable with.”
Neil Thacker, CISO, EMEA, Netskope:
“The international CISO community has been watching this one very closely, and hypothesising about the repercussions for some time. There is very little doubt among my peers that this case was about a serious misjudgment on the part of a CISO, but hindsight is a wonderful thing and we will probably never fully understand the complex factors and influences that led to his decisions. One of the biggest concerns within the community is an acknowledgment of the possible pressure that may have been exerted from other internal authorities upon the CISO, which led him to make the decisions. We won’t know the full repercussions for some time, but I would expect that we will see a number of CISOs and (aspiring CISOs) opting to make different career decisions based on this latest example of the personal risk burden, and we may see this further impacting the existing skills crisis in cyber security.”
Christopher Hallenbeck, CISO, Americas, Tanium:
“A change in reporting laws is unlikely to prevent what happened here. Sullivan was found guilty of actively taking steps to hide the existence of the intrusion. With these breach notification laws in place he could have violated that law in a similar manner.
If Uber’s then-President had ordered the coverup, and Sullivan internally agitated for disclosure, Sullivan wouldn’t have faced prosecution. CISOs aren’t automatically at risk, with or without a breach notification law. Their actions towards disclosure or concealment are what puts them in jeopardy.”
Rick Holland, CISO, Vice President Strategy, Digital Shadows:
“National breach notification requirements could allay some of these concerns, however, CISOs could still be at risk for perceptions around the security program that led to the breach itself. As a CISO, I’d be concerned about the risks of jury trials where jurors may not be tech savvy and appreciate the nuances of defending a modern network. CISOs challenges aren’t black and white. They are gray and jurors might not appreciate that.
Although I’m supportive of breach notification requirements, the devil is in the details. There is more unknown than known when only four days into a breach, so arbitrary disclosure timelines could have unintended consequences.”
Amitai Ratzon, CEO, Pentera:
“The guilty verdict of the Uber CISO underscores the need for more transparency between the board, risk-committees and the executive echelon. Transparency needs to carry across incident reporting as well as security posture gaps and audit data. In today’s cybersecurity attack surface there is no choice but to lift the hood and measure security exposure continuously.”
Ilia Kolochenko, Founder, ImmuniWeb:
“The Uber case is just another illustrative example of the unfolding global trend to hold cybersecurity executives accountable for their companies’ data breaches. In the future, we will likely see more CISOs, DPOs and board members civilly liable or even face criminal prosecution for security or privacy incidents. Many countries have already implemented – by the virtue of statutory or case law – personal accountability of executives for data breaches. Serious misconduct, such as deliberate concealment of a data breach despite the regulatory requirement to report the breach to mitigate harm, may even entail criminal sanctions.
Cybersecurity executives should urgently ascertain that their employment contracts address such vital issues as coverage of legal fees in case of a civil lawsuit or prosecution in relation to their professional responsibilities, as well as a guarantee that their employer will not sue them – as victimized companies may also sue their own executives in case of security incidents. Finally, cybersecurity executives should be always prepared to demonstrate a systemized, continually improved and comprehensive data protection and privacy strategy, as well as solid evidence of regular and coherent implementation thereof.”
David Lindner, CISO, Contrast Security:
“The entire situation is extremely unfortunate for Uber and the broader legal/security communities. What Uber did was cover up a breach through means of hiding it as a bug bounty submission. The conviction of the security chief is a good start but for what was disclosed there should be even more accountability of the executives and even board members.
Transparency is the only path forward for organizations. Transparency of breaches, transparency of known vulnerabilities, and transparency of the components used to build their software. Uber failed in being transparent and it has resulted in not only a fine but in the conviction of a human behind the decisions. We will see more of this if we don’t move to transparency fast.”