By Peter Lancos, Co-CEO & Founder
Uber’s former security officer, Joe Sullivan, stood trial this week in the first case of an executive facing criminal charges in relation to a data breach.
Joe Sullivan, the former Uber security chief, was found guilty after 19 hours of deliberation on Wednesday 5th October 2022 by a jury federal court on charges that he did not disclose a breach of customer and driver records to government regulators.
Data breaches are the new form of misconduct where before banking executives were the bad guys and now it’s the tech executives.
For those who haven’t followed the case, the F.T.C was investigating Uber in 2014. 10 days after the disposition, Sullivan received an email from a hacker claiming to have found another vulnerability. It was then learned that the hacker and an accomplice had downloaded 57m riders and drivers personal information. The hackers pressed for $100k ransom and the CISO and his team referred the hackers to the bug bounty program set up to pay “white hat” researchers to report security vulnerabilities – usually capped at $10k. $100k was paid and the hackers were made to sign NDAs and it was all brushed under the carpet.
So how far did this go up the organisation… the previous CEO of Uber approved the payments to the hackers.
The new incoming CEO Dara Khosrowshahi, joined the company in 2017 and soon after this was disclosed to the F.T.C. This would suggest that this was documented and potentially fell in line with internal policy at the time.
States typically require companies to disclose breaches if hackers download personal data and a certain number of users are affected. There was no federal law requiring companies or executives to reveal breaches to regulators.
However, the US attorney, said this was a deliberate withholding and concealing of information, as Sullivan had taken many steps to keep the F.T.C and others finding out about it.
The verdict… GUILTY.
A sentencing date has not yet been set, but Sullivan faces a maximum of five years in prison for the obstruction of justice charge, and up to three years for failing to report the crime, according to the DOJ.
But what does this mean for CISO’s across the globe now this new precedence has been set. Would any other CISO have done anything differently?
Now every CISO needs to worry about the real possibility of jail time. The impact will be clamping down on every project that needs to move fast and potentially with an uprise of controls folks saying “No”.
At eXate we are looking at ways the technology teams can build security patterns into their architecture to allow them to move fast and risk nothing. By centralising consistent controls on data could help manage the one system that could be responsible for putting someone in jail.
The risk today is 91% of organisations say they have had at least one data breach from the APIs, with 85% having more than one. Gartner predicts APIs are the biggest threat vector to an organisation. It’s more important than ever.
Request a Demo
Schedule a demo with one of our product experts today to learn about APIgator and how eXate automates and applies privacy and security to sensitive data in the right place and in the right form.