Former Uber CSO Indicted for Covering Up 2016 Breach
Former Uber CSO Joseph Sullivan has been indicted for allegedly covering up a 2016 data breach at the company. The breach compromised personal data belonging to 57 million Uber drivers and passengers; the information included Uber drivers driver's license numbers. Sullivan allegedly failed to disclose the breach while the FTC was investigating a 2014 breach at the company.
There is a more subtle lesson here than the need to follow the rules. As security becomes more core to enterprise success, security practitioners will increasingly be caught up in decisions involving CEOs and attorneys. When the CEO believes that he does not need to follow the rules, the resulting culture of criminality corrupts good people by implicitly or explicitly threatening their high-paid jobs if they don't "go along." The bottom line: if you work for an executive who expects his/her people to break the rules, get out quickly.
Over the past several years, Uber has become the poster child for dysfunctional management in many areas - not surprising to see security management being accused of being part of the problem. This is a good cautionary tale to use with CXOs, legal counsel, and boards to illustrate the high risks of trying to downplay or hide incidents.
Sullivan reportedly received an email from the hacker informing him of the 2016 breach and, rather than report the breach, paid the attackers $100,000 USD in bitcoin via a bug bounty program and had attackers sign a non-disclosure agreement (NDA) asserting no data was stolen or stored.