Over the past month, you may have seen on the news the court case surrounding Joe Sullivan. As Uber’s former Chief Security Officer, he was recently found guilty of concealing a cybersecurity incident back in 2016, when he failed to report a data breach to the authorities and the personal information of 57 million users were compromised. His deliberate actions to hide it which prevented the hackers from initially being caught broke several laws, and he was found guilty on counts of obstruction of justice and deliberate concealment of felony, according to the US justice department.
For context, it took a year after this incident took place for it to be made public. Dara Khosrowshahi was appointed Uber’s new CEO and Sullivan was fired in the process. Whilst Sullivan was charged in 2020 over his alleged role in the cover-up, it’s only now in 2022 that the verdict has been given – after a grueling 19-hour decision process with a jury of six men and six women, Sullivan is facing 8 years in prison.
The Joe Sullivan case is one that I think asks a lot of questions surrounding the importance of disclosing a cybersecurity incident and the ethical nature of doing what’s legally right, versus doing what’s best for the business. For publicly traded businesses in the US, for example, exposing data breaches is a legal requirement under the SEC. For non-public businesses, the decision lies solely in their own hands. I believe there is a responsibility in any case for the leadership of the organization to have full visibility and awareness of any cyber incident, whether it’s public or within the shareholder community. For shareholders in particular, they have a right to know that the company they’ve invested in has been exposed to a breach and what they are doing to mitigate it and prevent it from happening in the future.
The question a lot of individuals and businesses may ask is: what is the best way to go about disclosing a data breach? When a cyber incident occurs, it’s inevitable that making it publicly known will impact the trust of your existing customers. If the breach happens to be the result of negligence, the trust-impact is even greater, because the business hasn’t been doing all the things they were meant to be doing.
In the case of Joe Sullivan, he did end up catching the criminals who stole the data and request they delete it, saving the risk of that data being exposed publicly, however the way he did it is ethically questionable for a lot of people. With the use of the company’s bug bounty program (used to reward developers for revealing security vulnerabilities), Joe Sullivan paid the hackers $100,000 to delete the stolen data and sign a non-disclosure agreement. This meant he was able to successfully cover up the breach without having to take it to the SEC, gaining approval from both the CEO and the board to do it. He achieved protection of the stolen data, caught the people that stole it, all whilst keeping Uber out of the press. Everyone including the shareholders was better off because of Joe’s actions. It’s only when the new CEO Dara Khosrowshahi was appointed that personal liability fell onto Joe Sullivan as the sole driver in covering the breach. He was the perfect patsy for the new CEO to shift the liability to Joe to keep the fallout from landing on Dara Khosrowshahi.
Where do we draw the line between covering a data breach for the protection of the business, and disclosing it with the possibility of stolen data being made public with consequent damage to shareholders, customers and employees? When the breach happened, Joe reacted with the skills, expertise and facilities at his disposal. He presented his plan to the CEO, CFO, and they provided him their approval. Therefore, should Joe be the only one liable for this cover up? Should covering a data breach be treated as a crime when they achieve success in retrieval of the data and criminals are arrested, or is it understandable under the pressures of a security team that they need to be held accountable?
When I think back to conversations, I’ve had with other CISOs and CSOs, the pressure that is placed upon them by the board and senior leadership to keep the business protected is so high. They push them ridiculously hard to ensure they don’t get found negligent, that big fines are avoided, that they don’t end up in class action lawsuits. That’s a tremendous role to be in. I don’t think either myself or anyone can speak for Joe and say whether he selfishly covered up the data breach to protect his job and the company, or whether the pressures of being a CSO in a big organization just got to him. It’s a case-by-case basis where every security professional will ask themselves, “do I cross into that grey area? Or do I stay in the black and white?”
The reporting of these incidents adds to the scaremongering that often happens in the cybersecurity industry – will security professionals do the “right thing” and disclose data breaches going forward, knowing that if they don’t, they could end up in a similar situation as Joe Sullivan, facing prison time?
I don’t think this one case will be enough. When you look at the rewards a CISO receives, in terms of a high salary, it’s inevitable that that comes with the pressure of the role. If the news stories of well-known companies such as Walmart, Target and EasyJet being hit by large regulator fines and followed up with class action lawsuits becomes a trend, I believe this will gain more of a momentum. But I don’t think it’s a matter of going out and educating people to say “you should not do these things” – they know whether they should or they shouldn’t. Ultimately their decision comes down to the pressures placed on them from senior leadership – if they don’t cover the breach, will they lose their job? If they do, could they risk something worse, like prison time?
Join the conversation over on my LinkedIn to share your thoughts on the Joe Sullivan case and what impact you think this will have on the decision Boards and CSO/CISOs have to make when they are breached.
We’re continuing to drive awareness surrounding cyber incidents – you can find out more about our #RansomAware campaign here.
Call us directly and we’ll put you in touch with the most relevant cyber expert.
Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.
Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.
