Former Chief Information Security Officer of Uber, Joe Sullivan, has been found guilty of obstructing an investigation by the Federal Trade Commission into Uber’s security practices. He is also charged with covering up a 2016 data breach from authorities. These charges are likely to make Sullivan the first executive to face prison time for mishandling a cyberattack.
In November, 2016, Uber was hit with a data breach in which the hacker gained access to the personal information of over 57 million user of Uber. This information included their names, emails, phone numbers, etc. Sullivan was made aware of this breach and rather than reporting it to authorities, he paid the hacker $100,000 to destroy the evidence and keep quiet about what had happened. Sullivan was fired from Uber in 2017 and pleaded not guilty to all charges in 2018. The jury, however, had found Sullivan guilty on all counts and the former CISO now faces up to 8 years in prison.
The United States attorney for the Northern District of California, Stephanie M. Hinds, stated, “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.”
While there are State laws that require the disclosure of data breaches, there are no clear federal counterparts that detail what, when, and how a CISO should handle such matters. Also, CISOs of big corporations do not make these decisions without consulting lawyers and others in their firm beforehand. Sullivan had consulted with an Uber lawyer on how he should handle the breach. This lawyer was fired by Uber, but given immunity by federal prosecutors in exchange for testifying against Sullivan.
Do you think Sullivan should face up to 8 years behind bars if he only followed Uber’s internal legal advice that suggested there was no reason to disclose the breach to authorities?
Find out more,