• XRATOR
  • Our Experts
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Cyber Attacks

Former CISO personally sentenced for Uber breach

How the personal conviction of the former Cyber Security Leader can impact the CISO position and cybersecurity jobs in the USA.

Gwendal SmithbyGwendal Smith
October 8, 2022
in Cyber Attacks, Cybercrime, Cyberdefense, Cybersecurity, News
0
How the personal conviction of the former Cyber Security Leader can impact the CISO position and cybersecurity jobs in the USA.

The person responsible for protecting Uber’s data was found guilty of inadequately safeguarding the information, which makes CISOs’ personal liability real. An Uber data breach that occurred in 2016 was covered up by former CSO Joe Sullivan and other senior executives, resulting in a guilty verdict on October the 5th 2022 and a subsequent indictment by the Department of Justice. This sentenced is growing concern inside the cybersecurity as its raise personal risk for Cybersecurity Leadership position, cybersecurity staff but also for the business of CISO-as-a-Service and Virtual CISO.

Uber data breaches of 2014 and 2016

In may 2014, according to Uber’s Managing Counsel, 50,000 drivers across the United States were affected by this breach. Because the data accessed by an unknown third party only contained names and driver’s licenses, Uber maintains that it affected only a small percentage of their driver base. Uber just sent out a notification to the drivers that are affected. But in September, they learned that the database was not restricted in terms of access, allowing anyone to grab the data. They have declared to immediately took steps to prevent anyone from accessing the database using that information and have taken other safety measures to protect.

In November 2017, Uber revealed that hackers had gained access to the personal information of 57 million riders and drivers. According to CEO Dara Khosrowshahi, the company concealed the breach for over a year. Instead of reporting the breach, Uber paid hackers $100,000 to delete the information. Uber’s decision to cover up this breach was a blatant violation of the public’s trust. In clear defiance of the law, the company neglected to safeguard user data or notify the authorities when it was exposed.

The verdict in the Uber case could have ramifications for CISOs.

The conviction wasn’t about the breaches, but rather about Former CISO Joe Sullivan’s choices with respect to his discussions with the FTC and his failure to report a felony crime. The charges related to the breach itself had been dropped.

The DOJ made clear that the two perpetrators of the 2016 Uber data breach were arrested and convicted of cybercrimes, not of participating in bug bounty programmes, as Sullivan claimed. Sullivan’s lying to his colleagues as testified by DOJ spoke volumes about his knowledge that a crime had taken place. Both hackers pleaded guilty on October 30, 2019, of computer fraud conspiracy charges and are awaiting sentencing. After Sullivan helped conceal the Uber data breach, the hackers were able to commit another intrusion at Lynda.com and attempt to ransom the data, according to the DOJ.

However, Sullivan’s trial was as much about establishing a liability paradigm shift as it was about personal accountability. CEOs responsible for the security of their company and its data now find themselves pondering at what point a breach will be considered to have caused harm.

In future, CSOs and CISOs may disagree with their senior and equal colleagues on corporate risk management decisions, even if they decrease risk. Every CSO/CISO recognises that there is no such thing as total security. Has the court’s judgement opened the door for data breach victims to target the executives who were responsible for safeguarding their information? It will be interesting to see how this decision will impact corporate security policy in the coming months, as attorneys review their positions in light of it.

What are the limits of personal liability for CISOs?

At what level should corporate liability insurance coverage extend down the executive chain of command? What guidance is coming out of human resources and legal departments to their executives about their personal liability? What is their need to obtain personal liability insurance? Those are the next questions that must be answered.

According to the Washington Post, there are a variety of security executives who are wary about how executive stakeholder participation in corporate decisions will affect their personal liability. In addition, infosec may be perceived as a less interesting field and a more skeptical public overall.

This concern was corroborated in court. Uber executive team pointed out that Sullivan’s tales informed their decisions. And Uber had distanced itself from his actions. The Uber legal team, on the other hand, was committed to protecting Uber, not Sullivan.

The CISOs who take the position bear all liability. But the consequences go beyond the individual and affect their infosec and security teams as well.

Keep records, keep records, keep records.

The most important takeaway from this case is the need to document the tiniest decision. And defend it, both to other employees and to regulators and investigators. The DOJ, SEC, and FTC may prevent the CISO from defending his decisions in court if he doesn’t keep records of them (Mold ​&​ Pepper, 2018).

If the SEC’s proposed changes to the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules are passed, public companies and defendants may be required to defend their operational decisions (Mold ​&​ Pepper, 2018).

As CISOs now play a more significant role, and personal liability is a fact. Company that provides Virtual CISO, shared-time CISO or CISO-as-a-Service may see a boom in demands. But it does not necessary means it is a good news. Customers may be tempted to reduce executive liability by outsourcing the legal risk to a third party. This is already what is happening for external strategic consultant or external accounting firms.

In reaction, external cybersecurity service provider may increase their price to cover the possible liability of their consultant, so does freelancer.

Tags: Business RiskCISOComplianceData breachHuman ResourcesJusticePersonal DataSecurity Posture

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    0 shares
    Share 0 Tweet 0
  • Understanding and Mitigating the Risk of Computer Memory Exploitation

    0 shares
    Share 0 Tweet 0
  • Three Social Impacts of Ransomware Operations

    0 shares
    Share 0 Tweet 0
  • Methods to Conduct an Insider Threat Risk Assessment

    0 shares
    Share 0 Tweet 0
  • Cyber War, Undefined By Military, Rationalized By Insurers

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}