Recently, federal prosecutors have charged Uber’s former security chief Joseph Sullivan with obstruction of justice and failing to share knowledge of a felony. Sullivan, if convicted of both charges, would face up to eight years in prison. The incident in question is the company’s 2016 data breach that exposed info of 57 million users, including names, email addresses, and phone numbers. Instead of reporting the hack to the FTC, Uber paid hackers $100,000 to delete the information and attempted to get the hackers to sign non-disclosure agreements. When Uber’s current CEO Dara Khosrowshahi found out, the company fired chief security officer Joe Sullivan and one of his deputies, senior lawyer Craig Clark in 2017.
How Sullivan chose to handle the incident is an interesting point of contention for many in the cybersecurity and information security sector. Many organizations have either bought cyber insurance or have prepared for inevitable ransomware attacks in order to get systems back up and running as soon as possible ( e.g Garmin’s recent incident). But what may be in a grey area, is the fact that Sullivan did not disclose the $100,000 payoff to the FTC, and also attempted to get the culprits to sign an NDA. Sullivan was said to have collaborated closely with Uber’s legal department and operated in accordance with the company’s written policies. Given Uber’s previous leadership and scandals, it may be likely Sullivan was directed to do so under instruction from previous management led by CEO Travis Kalanick to avoid further scrutiny as the company was already under investigation from an earlier 2014 hack. If this is the case, was Sullivan right to comply with the company’s guidelines and conceal the attack even though Uber was already under the microscope?
This is the question that creates an interesting discussion for many as Sullivan was simply complying with company guidelines and dealing with the incident to the best of his knowledge. If employees are following corporate guidelines should they be open to criminal liability? Many information security professionals will agree that data breaches are inevitable, but the response to one may vary based on who you ask. With ransomware attacks at an all-time high, the outcome of this case could really change the personal risk equation for many CISOs. CISOs are already under a lot of pressure at organizations to keep everyone safe and data secure, but are often not given the resources or power to execute. Additionally, with a majority of organizations now working remotely, the attack surface for a potential data breach has exploded, leaving CISOs in an extremely tough situation. CISOs will have to strongly consider the position they’re in as an inevitable data breach could thrust them into the spotlight and have them relegated to be a scapegoat for an organization.