BLACK HAT EUROPE 2023 - London - Former Uber CISO Joe Sullivan last week shared new details about the 2016 data breach at the company that led to his firing from Uber and, later, felony charges.
The Uber Breach Sullivan was in his second year as CISO of Uber when attackers stole 57 million user and driver accounts, including names, phone numbers, email addresses, and more than 600,000 US drivers' license numbers.
After the attackers alerted Uber about the breach and before Uber notified the authorities, the attackers were paid a $100,000 settlement - which Sullivan characterized as a bug bounty, where the attackers signed a nondisclosure agreement about the incident.
Sullivan was charged with two counts: obstruction of justice specifically related to a Federal Trade Commission investigation of Uber, and misprision of a felony, where he was accused of covering up a felony.
That statement said contracts drafted by Sullivan and a lawyer assigned to his team falsely represented that the hackers did not take or store any data in their hack, and that Sullivan continued to work with the Uber lawyers handling or overseeing the FTC investigation, including the General Counsel of Uber.
The FTC says it was not notified about the breach or payment until 2017.
On the misprision of a felony charge, Sullivan said that the attackers violated 18 USD 1030, related to accessing a computer without permission.
Responsible Disclosure Sullivan said he had always promoted responsible disclosure policies - going back to his role with eBay in the 2000s, when he encouraged testers to reveal details of vulnerabilities they found.
Payment and NDA haunted Sullivan and Uber: In the federal trial in May of this year, Sullivan was accused of using the NDA as a cover-up.
He said in his keynote here that he believed the NDA was a way of solving the problem and of resolving the breach.
Sullivan's lawyers made the case that Sullivan issued the payment to the hackers with the full knowledge and blessing of Travis Kalanick, Uber's CEO at the time of the breach, as well as that of members of the Uber legal team.
The judge asked the prosecutor why the CEO of Uber had not been held accountable as well, saying that the CEO was just as culpable as Sullivan yet was not in court, and that Sullivan alone was being held responsible.
Offering Advice Sullivan's experience with the Uber breach and its legal fallout has led some security professionals to consult with Sullivan for career advice.
He now often gets approached by security professionals who are interviewing for their first CISO appointment.
He advises security professionals to be sure they have the right personal protections in place so they are prepared for the potential fallout of a data breach.
In one recent conversation, he recommended that the security professional accept a CISO job offer but to first talk with the general counsel and the CEO of the company to make sure they understand the nuances of attacks, vulnerability, and breach disclosure.
He also recommended creating a personal incident response plan and to consider how you would survive a breach personally.
Look at your own legal representation, insurance, and plans for your family, he said.
Slide showing advice on a personal incident response plan.
As a strategy for preparing and surviving a breach, Sullivan used the analogy of a fire department.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 12 Dec 2023 14:30:21 +0000