Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds

Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud for failing to alert regulators of a 2016 cybersecurity breach, but Sullivan was spared having to serve any prison time. Instead, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation, 200 hours of community service, and a $50,000 fine. Prosecutors were seeking 15 months of prison time for the charges alleged by the Federal Trade Commission that Sullivan failed to report the breach that affected more than 50 million records for customers and Uber drivers. "I went to my sentencing hearing fully prepared to go to jail with a specific penitentiary area that we were going to request," Sullivan tells Dark Reading. "I had to research all the different federal facilities and figure out which one would be the one that my family would be able to most visit and that I would be the safest. And I had to think about who would take care of my kids and who would pay my bills on my house and manage everything else." Joe Sullivan, Post-Uber Breach Now that the matter has been decided, Sullivan is free to speak out, and he plans to share his story in a keynote address at Black Hat Europe 2023 on Dec. 7. Sullivan says biting his tongue for over six years wasn't easy. "My lawyers wouldn't let me say a word," Sullivan laments. "For six years, I had to listen to and see my name in the media saying things about me that I knew weren't true. And my kids had to be subjected to everybody they know asking them what they saw about their dad on the news." In getting the minimum sentence, Sullivan says he was vindicated. "The judge said we did an amazing job on the investigation," he says. "We followed our playbook. What people don't understand is the company had D&O insurance policies. We had a data-breach response policy that designated a specific lawyer we were supposed to call. The team called in that lawyer and called in PR. I looped in the CEO and kept him up-to-date." Transparency Is the Most Significant Lesson Sullivan says the key mistake he made was not bringing in third-party investigators and counsel to review how his team handled the breach. "The thing we didn't do was insist that we bring in a third party to validate all of the decisions that were made," he says. "I hate to say it, but it's more CYA.". Now, Sullivan advises other CISOs and companies about navigating their responsibilities in disclosing breaches, especially as the new Securities & Exchange Commission incident reporting requirements are set to take effect. "I think anything that pushes towards more transparency is a good thing," he says. He recalls that when he was on former President Barack Obama's Commission on Enhancing National Cybersecurity, Sullivan was pushing to give companies immunity if they are transparent early on during security incidents. That hasn't happened until now, according to Sullivan, who says the jury is still out on the new regulations, which will require action starting in December. "Right now, too many companies think it's not in their best interest to be transparent," Sullivan says. "I think the SEC is trying to change the incentives through sticks rather than carrots. But that's the tool that they have, which is better than nothing." SolarWinds Sends Mixed Signals from the SEC Meanwhile, the SEC is signaling a zero-tolerance focus when it comes to data beach mishandling, with its recent charge of fraud in the US District Court in the Southern District of New York against SolarWinds Corp. and its CISO Tim Brown, regarding the software supply chain attack on the company's Orion platform in October 2020. Sullivan says the SEC's decision to charge SolarWinds and Brown contradicts the agency's approach in rolling out its new disclosure rules just months earlier. "On the one hand, they are engaged with the community and have set some new expectations, which I think is great because they're trying to set some rules for the road, and they got feedback from the public," Sullivan says. "But if you look at the Solar Winds and Tim Brown enforcement action, you see a very different approach, which is not so collaborative, and a lot of commentators have suggested that maybe they don't seem to fully understand what life is really like doing security inside of a corporation." It's too early to predict how the case will play out since only the parties involved know what evidence will be presented, Sullivan says. Based on the SEC's charges, he sees similarities to his own situation. "The government, the FTC in my case, felt that my company wasn't sufficiently transparent, and they sought to hold me personally accountable for that, even though it wasn't my job to be the communicator of our security posture or answer any of their questions," Sullivan says. "In fact, I hadn't seen a lot of the documents. And so, their case was about me being held personally responsible for the company's approach to communication. Tim Brown's case is the exact same thing."

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:01 +0000


Cyber News related to Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds

Ex-Uber CSO: Lessons Learned from the Breach and Legal Case - BLACK HAT EUROPE 2023 - London - Former Uber CISO Joe Sullivan last week shared new details about the 2016 data breach at the company that led to his firing from Uber and, later, felony charges. The Uber Breach Sullivan was in his second year as CISO ...
10 months ago Darkreading.com
Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds - Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud ...
11 months ago Darkreading.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 month ago Aws.amazon.com
CISOs on alert following SEC charges against SolarWinds - While the outcome of the Security and Exchange Commission's complaint against SolarWinds remains to be seen, infosec experts say the charges are likely to have a major impact on the role of the CISO going forward. In late October, the SEC charged ...
9 months ago Techtarget.com
CISO Conversations: Nick McKenzie and Chris Evans - In this edition of CISO Conversations, SecurityWeek discusses the role of the CISO with two CISOs from the major crowdsourced hacking organizations: Nick McKenzie at Bugcrowd and Chris Evans at HackerOne. The purpose, as always, is to help aspiring ...
6 months ago Packetstormsecurity.com
The Role of the CISO in Digital Transformation - Modern-day demands require organizations to be flexible and digitally savvy, getting work done remotely and in the public cloud as often as in a centralized physical location, if not more so. As companies continue to modernize their workflows and ...
11 months ago Darkreading.com
Tech Security Year in Review - In this Tech Security Year in Review for 2023, let's look into the top data breaches of the past year. Each factor contributes to the growing threatscape, demanding a proactive and adaptable cybersecurity approach to safeguard your organization ...
10 months ago Securityboulevard.com
Data Breach Response: A Step-by-Step Guide - In today's interconnected world, organizations must be prepared to respond swiftly and effectively in the face of a data breach. To navigate these challenges, a well-defined and comprehensive data breach response plan is essential. Let's explore the ...
8 months ago Securityzap.com
Adapting to the Post-SolarWinds Era: Supply Chain Security in 2024 - COMMENTARY. In December 2020, the SolarWinds attack sent shockwaves around the world. Attackers gained unauthorized access to SolarWinds' software development environment, injected malicious code into Orion platform updates, and created a backdoor ...
10 months ago Darkreading.com
Microsoft Is Getting a New 'Outsider' CISO - In a Tuesday blog post, Microsoft executive vice president of security Charlie Bell announced that as part of its new strategic focus on security, the company will shift Bret Arsenault out of his longtime role as CISO and into a chief security ...
11 months ago Darkreading.com
Microsoft Is Getting a New 'Outsider' CISO - In a blog post on Dec. 5, Microsoft executive vice president of security Charlie Bell announced that as part of its new strategic focus on security, the company will shift Bret Arsenault out of his longtime role as CISO and into a chief security ...
11 months ago Darkreading.com
Liability Fears Damaging CISO Role, Says Former Uber CISO - The gorwing trend of finding CISOs personally liable for security failings is making security professionals more reluctant to take up these positions. Sullivan was convicted in 2022 of federal charges relating to the cover up of the theft of Uber ...
11 months ago Infosecurity-magazine.com
Mr. Cooper breach affects more than 14.6M - Mr. Cooper, a major U.S. mortgage servicer, says an October data breach affected nearly 14.7 million people, including all its current and former customers. Mr. Cooper provided a data breach notification to the Office of the Maine Attorney General ...
10 months ago Packetstormsecurity.com
SolarWinds Files Motion to Dismiss SEC Lawsuit - In a new filing with the US Southern District Court of New York, SolarWinds argued that the Securities and Exchange Commission was outside of its depth of expertise as well as its scope of authority in charging SolarWinds and its chief information ...
9 months ago Darkreading.com
Is the vCISO model right for your business? - It's getting harder to justify not having a CISO, so many businesses that have never had a CISO are filling the gap with a virtual CISO. A vCISO, sometimes referred to as a fractional CISO or CISO-as-a-Service, is typically a part-time outsourced ...
10 months ago Darkreading.com
Appointments of New Chief Information Security Officers in the United States in January 2023 - Corporate security is undergoing a lot of changes as businesses attempt to keep up with the ever-changing threat landscape. To ensure the safety of both employees and customers, many companies are now hiring a Chief Security Officer or Chief ...
1 year ago Csoonline.com
Fewer cybersecurity professionals losing their jobs in breach 'blame' game - Cybersecurity job loss after a major incident is becoming less likely as organizations drop the "Blame" game for more practical approaches to breach prevention, a survey of 500 CISOs shows. More than 95% of CISOs reported their teams received greater ...
11 months ago Scmagazine.com
How the Evolving Role of the CISO Impacts Cybersecurity Startups - It helps startups striving to meet the ever-evolving needs of CISOs, who are simultaneously seeking the elusive but paramount buy-in from business users and executives. The CISO role has evolved dramatically in the past few years in response to ...
11 months ago Darkreading.com
Definition from TechTarget - The CISO is a senior-level executive responsible for developing and implementing an information security program, which includes procedures and policies designed to protect enterprise communications, systems and assets from both internal and external ...
10 months ago Techtarget.com
The New CISO: Rethinking the Role - Dating back to the 1990s, the role of CISO was more technical and IT-focused. CISOs face more risks than can be resolved, are expected to balance security with operational capability, and must convince leaders to invest in protection. Today, CISOs ...
7 months ago Darkreading.com
Why CISOs and CIOs Should Work Together More Closely - Although there are overlaps in the goals and responsibilities of the CIO and the CISO, there are also challenges that get in the way of a more cohesive relationship, including reporting lines, organizational structures, budgets, and risk appetites. A ...
10 months ago Feedpress.me
Welltok data breach exposes data of 8.5 million US patients - Healthcare SaaS provider Welltok is warning that a data breach exposed the personal data of nearly 8.5 million patients in the U.S. after a file transfer program used by the company was hacked in a data theft attack. Welltok works with health service ...
11 months ago Bleepingcomputer.com
Goto Customers Backup Data Breach: Protect Your Business and Handle Data Breach Risks - A data breach at Goto customers exposed their backup data to malicious actors, leading to a data breach that impacted those customers. Businesses need to be aware of the risks associated with data breaches and how to protect their organisations from ...
1 year ago Securityaffairs.com
Cybersecurity is a Team Sport - Good security hygiene needs to be a fundamental part of company culture, and leadership should make it clear that proper security practices are part of achieving business objectives. Infusing security and operational resilience throughout the ...
11 months ago Darkreading.com
Embracing the Virtual: The Rise and Role of vCISOs in Modern Businesses - In recent years, the task of safeguarding businesses against cyber threats and ensuring compliance with security standards has become increasingly challenging. Unlike larger corporations that typically employ Chief Information Security Officers for ...
9 months ago Cysecurity.news

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)