Former Uber CISO Convicted: What, How & Why?
Date: 11 October 2022
Uber Technologies’ former CISO, Joseph Sullivan, has been convicted of federal charges for covering up a 2016 data breach in which the personal information of 57 million Uber users was stolen. A United States Federal Jury has found Sullivan guilty of obstructing the proceedings of the Federal Trade Commission (FTC). Apparently, Sullivan, then in-charge of security operations and cyber security at the company, spearheaded the scheme in which Uber paid hackers $100,000 through its bug bounty program to not release the data and stay silent on the attack. The hack was disclosed in 2017 when the new Uber CEO, Dara Khosrowshahi, stepped into his new role.
The reason why this conviction is a watershed moment in cybersecurity history is not because CISOs aren’t often made the scapegoat for security incidents. But it is usually limited to them being publicly blamed or fired for such incidents. This is believed to be the first time that a CISO of a major U.S company has been convicted for a data breach and its ensuing cover-up.
Did the CISO’s job just become tougher than it already is? The spotlight on the former Uber CISO’s conviction definitely seems to say so. The pressure is on and the message is clear - executive due diligence is of paramount importance where cybersecurity is concerned.
The more important lesson here? Cyber-attacks happen to everyone and all the time. The real cincher lies in how you respond to them, record the events and report the incident. If this event has taught us anything it is this - Incident Response Handling has never been as critical to business continuity and brand perception as it is today.
In the below table, we capture some of the major news stories around this massive moment in global cybersecurity. The idea of creating this resource is strictly educational. We, at Cyber Management Alliance, do not take any responsibility for the veracity of the facts mentioned in any of the news stories. We have only collated some of the useful resources for anyone who wishes to educate themselves on how the events unfolded in the former Uber CISO’s conviction.
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
Interesting Opinions on the Uber CISO Conviction