720-891-1663
Return to list of client alerts
Joe Sullivan, Uber’s CISO at the time they were hacked and tried to pretend it was a bug bounty event, is talking about what happened and what he/they did wrong.
Joe’s biggest problem was that he was not in control of his destiny.
He was convicted on two charges for failing to alert regulators of the breach that affected 50 million Uber customers and drivers, but, lucky for him, he was spared serving time in prison.
He is going to keynote Blackhat Europe on December 7th, so stay tuned for more details, but understand that he is trying to rehabilitate his image.
ACCORDING TO SULLIVAN (understanding that he is biased, but at least some of this rings true), the company had Directors and Officers insurance and a data breach response policy that designated a specific lawyer. They called that lawyer. He claims that he kept the CEO informed, something which they disputed.
While the insurance company can require you to use their lawyer and incident response team, they cannot stop you from calling in your own lawyer and IR team on your own dime. While Sullivan does not explain that fully, he says they should have brought in their own investigators and counsel. Most companies don’t want to do that because the breach is already costing them a fortune. These lawyers often charge upwards of a thousand dollars an hour.
Sullivan says that companies are not transparent because that is not in their best interest. He thinks the new SEC rules are a push toward more transparency, but he thinks that companies should get immunity if they are transparent.
From my point of view, that would discourage spending any money to secure your data, because if all you had to do when you were hacked was to fess up and be immune, why would you implement any security at all.
This seems to be the case in the SolarWinds SEC prosecution. They are going after SolarWinds CISO and the company. In this case, they are accusing Brown of lying about what security measures they had in place.
Sullivan says that the SEC is sending mixed messages by requiring disclosures and prosecuting companies that get hacked.
I think the message is that if a company thinks they can save money by not having a reasonable cybersecurity program (which seems to be the SolarWinds) and/or hiding or spinning a breach into something else (which seems to be the case with Uber), you might want to reconsider your plan of action.
The thing that I think the SEC is getting wrong is not about going after these companies, but rather going after the CISO, who really doesn’t have much authority to make decisions about handling the breach, instead of going after the CEO and/or the Board. That is where the decisions are made about handling the breach. Sullivan claims that a lot of the documents that were used in court he had never seen. I suspect that is true.
In fairness to the feds, it seems that Sullivan clearly lied to the feds by hiding and spinning what happened. I am sure he did that to save his job, but it did not have the desired outcome. Lying to the feds is a dangerous game.
Bottom line, if you are a CISO or similar person and there is a breach, if you think the company is going in a direction that could get you in trouble – and we are seeing at least two cases where the CISO is the fall guy, you may have to follow company policy to an extent, but you will have whistleblower status if you go to the feds and tell them that and how the company is breaking the law. Unfortunately, you sometimes have to save your own butt. While you might get fired, you are more likely to get hired elsewhere than if you get caught telling a tall tale.
The best route, of course, is to work for a company that has good ethics. That is something you figure out before a breach. If you decide that you and the company are not a good fit, move on before you have to make the kind of decisions that Sullivan and Brown made.
Maybe these prosecutions will help companies understand what is legal and what is not legal. And definitely check out Sullivan’s keynote next month.
Credit: Dark Reading