Uber’s Ex-CISO is Heading to Jail After Data Breach Fiasco
As Joseph Sullivan, Uber’s former Chief Security Officer, heads to jail after courts convicted him of obstruction of justice and concealing the knowledge of a federal felony, Reflectiz asks, how did things go so terribly wrong?
The news that Uber’s former CISO, Joseph Sullivan has been found guilty of criminal obstruction should be a sharp wake-up call to all security leaders.
Back in 2016, 50 million customer records and 7 million driver records were exposed by a data breach, including drivers’ license identification numbers, and the names, email addresses, and phone numbers of customers. While an attack could happen anywhere, the real problems began when Sullivan attempted to cover up the data breach, hiding the event from both the public and the Federal Trade Commission (FTC).
As well as telling employees that the story around the data breach was that “this investigation does not exist”, Sullivan organized a payment to the hackers of $100,000 in exchange for an NDA. He was fired from Uber in 2017, and was charged with the deliberate concealment of a felony and obstruction in 2020 by the federal courts.
The Reputational and Financial Damage of a Data Breach
Once a data breach has occurred, there are strict compliance regulations around the actions a company needs to take. For example, PCI regulations dictate that if cardholder information is exposed, the business may need to engage a PFI, a Payment Card Industry Forensic Investigator, but there are no specific regulations about disclosure or reporting, other than notifying payment processors. In contrast, if you are working with EU customers, GDPR requires that supervisory authorities are alerted to the breach within 72 hours.
No matter which compliance regulations are impacted by a data breach, the more you can cooperate with the relevant authorities and implement a thorough incident response procedure, the more likely you are to stay away from harm.
In the case of Uber, the catastrophic impact was exacerbated by the cover up, and Uber has been fined $158M to settle claims in the US, plus a further $1.17M by the UK’s Information Commissioner’s Office, and the Dutch Data Protection Authority. For a smaller business, steep fines, heavy reputational damage, and bad press could be more than a company could hope to recover from.
Being Ready for Disclosure Starts with Visibility
Cooperation is more than just a state of mind. With the best will in the world, and with no desire for any fraudulent or criminal activity – many organizations are just not prepared for a data breach.
At Reflectiz, we provide a thorough set of tools that assess, mitigate and prevent risk in your digital environment, offering security and vulnerability assessments, insight into web supply chain risks, tag manager security, client-side risks, and providing robust security enforcement. We even help businesses with specific compliance-related needs, for example our solution for full PCI-DSS compliance, already up to date and v4-ready.
However, sometimes the worst occurs and your business suffers a data breach. This is often to do with third-parties, and nothing to do with your own internal security processes. In any event, Reflectiz provides you with the visibility and control to both limit the damage, and comply with expectations from regulators and the public.
Where connected applications are responsible for breaking regulations or opening your business up to risk or attack, you can provide security teams and forensic investigators with a comprehensive map that shows all third-party components and their activities, to better support the investigation.
You’ll have answers to questions such as, “Who accessed this data?” “How was it processed?” and “Where has this data been communicated?” You can even sort the data by sensitive actions, from who inputted the data, which specific network requests have been made, and see details such as cookies and web storage, or cross-domain tracking.
In full cooperation mode, and with the right data to hand over to the relevant supervisors and authorities, you can both streamline mitigation and reduce the risk of fines and reputational damage.
Speak to us to learn more.