Risky Business

One of the big cybersecurity stories this week, for those tuned in on that frequency, is the trial of former Uber CISO Joe Sullivan. He’s a big name in that corner of the industry brought low by a lawsuit resulting from the cover up of a data breach. This is important because it may be the first time a corporate executive faces criminal liability from a data breach and every other CISO is likely watching this case sweating bullets.

Whether they should be or not is another matter.

The long and short of the story is that in 2016 a pair of hackers gained access to data of some 600,000 drivers and personal information of over 57 million drivers and riders. Sullivan’s crime is not for the data breach itself of course, that’s not his fault, but his response was to point the men trying to extort the company to their bug bounty program (designed to encourage a more amiable solution to discovered security vulnerabilities). Ultimately Uber paid the hackers $100k in bitcoin and, here’s the problem, failed to disclose the breach to the public.

Now it’s hard to say from that if Sullivan is liable. If it was his decision to keep the breach private, then legally things look grim for the former cybersecurity trailblazer. Certainly, other CISOs have rallied around the cause because they’re terrified that they’ll be next. Others have accused them of being tribal.

They are of course, and they’ll find little support for their viewpoint from the millions who had their data stolen and the act swept under the rug. The thing is, they also say that Sullivan is just a scapegoat in this whole fiasco, and they might be right about that. It’s incredibly unlikely Uber was unaware of a cool $200k in crypto getting billed on the company card and even more likely that they’d order everything hushed up.

Don’t expect sudden transparency to be in fashion following this trial either. In a data breach affecting Samsung last week the company noted that while the amount of relevant data affected varied by customer, they assured everyone that social security numbers and credit & debit card information weren’t affected. It’s a little like trying to believe that the dog ate your homework though. Only time and investigation are going to put anyone’s mind at ease.

What the trial is ultimately about is whether the sins of a whole company can be laid at the feet of one person, and if so then the already stressful job of being a CISO is about to be some risky business. It will be a bad outcome for everyone involved.

Except for the hackers, they made two-hundred grand in bitcoin. Depending on price at the time and inflation that could be as much as $10 million now.

Related Articles

Inovonics to feature Inovonics Cloud Services software at ISC West, booth #3103

Investing Now Makes the Rest of the Year Less Taxing. Literally.

WeSuite’s Tracy Larson Shares How Speed and Accuracy Grow Sales Organizations

Four Ways Your Sales Process Defines Company Growth & Profitability

Paladin Technologies launches ULC-certified monitoring station

Secure Logiq launches new website

Vince DiValerio retires after 48-year career with Vector Security

RapidFire acquires Albuquerque Low Voltage

Nice launches smart garage door opener and new mobile app

Everon’s ‘momentum is real,’ says CEO Dan Bresingham

Dedrone awarded designation status for counter-drone tech under SAFETY Act

AU10TIX ID verification suite/fraud monitor prevents $18B in fraud since 2021

Simplisafe rolls out early-access live guard outdoor service

Johnson Controls hit by ransomware attack

Risky Business

Sponsored Stories

Related Articles