Truth, transparency and trust are the three T’s that all CISOs and CSOs should embrace as they march through their daily grind of keeping their enterprise and the data safe and secure. Failure to adhere to the three T’s can have serious consequences.
Case in point: A federal judge recently ordered Uber Technologies to work with its former CSO, Joseph Sullivan (who held the position from April 2015 to November 2017), and review a plethora of Uber documents that Sullivan has requested in unredacted form for use in his defense in the upcoming criminal trial.
The case against Uber’s former CSO
By way of background, Uber’s former CSO faces a five-felony count superseding indictment associated with his handling of the company’s 2016 data breach. The court document, filed in December 2021, alleges Sullivan “engaged in a scheme designed to ensure that the data breach did not become public knowledge, was concealed, and was not disclosed to the FTC and to impacted users and drivers.” Furthermore, the two individuals, who are believed to have affected the hack and subsequently requested payment for non-disclosure ultimately received $100,000 from Uber’s bug bounty program. These individuals were identified in media as, Vasile Mereacre, a Canadian citizen living in Toronto, and Brandon Glover, a Florida resident, both of whom were later indicted for their breach of Lynda (a company acquired by Linkedin).
Uber’s late breach notification
It would be November 2017, when the new CEO, Dara Khosrowshahi provided context surrounding the breach and acknowledged that the advisory from the company was a year late. Apparently, the discussion in the house at the time of the breach cataloged the event as a “bug bounty” payout and not a breach, and thus no need to disclose it. Semantics or subterfuge, the subsequent settlements, and Khosrowshahi’s statement indicate the latter may be at play.
The breach included names, email addresses, and mobile phone numbers of 57 million Uber users around the world, which included 600,000 of the company’s drivers’ names and license numbers. Included within the statement was the revelation of how two individuals associated with the breach incident response had been terminated that same day (no names provided).
Meanwhile, in September 2018, California, the San Francisco attorney general, and the California state attorney general announced a $148 million nationwide settlement “resolving allegations that Uber Technologies, Inc., violated state data breach reporting and reasonable data security laws.” The settlement included specific actions and reforms within Uber.
- Implement and maintain robust data security practices.
- Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
- Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
- Develop, implement and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
- Report any data security incidents to states on a quarterly basis for two years.
- Maintain a corporate integrity program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training.
In October 2018, the Federal Trade Commission (FTC) dropped its hammer, with Uber agreeing to a settlement. Within the settlement, the 2016 breach and the 2014 breach are each dissected and explained. The pathway to the 2016 compromise? An Uber engineer had posted the Amazon S3 datastore access key on GitHub. The hackers, “accessed Uber’s GitHub page using passwords that were previously exposed in other large data breaches.”
Lesson for CISOs: Be honest and transparent with board, C-suite
Fast forward to 2022 and the last piece of the legal morass enveloping Uber’s 2016 data breach is reaching its conclusion: The trial of the former Uber CSO Sullivan.
It is clear from the most recent court filings that Uber doesn’t wish to have its internal emails splayed out on the table in court, and Sullivan’s attorney believes that some of those internal emails will serve to mitigate and address the allegations brought forward by the DOJ. Was the company’s legal team a party to the semantic wordplay that cataloged the hackers as bug bounty awardees?
The judge has provided a timeline for the parties to sort out which internal documents are contentious and to make their case pending judicial review and adjudication. Then, the items will be declared to prosecutors.
As Violet Sullivan, cybersecurity and privacy attorney who serves as the vice of client engagement at Redpoint Cybersecurity, observes, the very real need to effectively brief the board and C-suite on the realities of cybersecurity—It is not 100% secure. Furthermore, the harsh reality that many a CISO faces who don’t take the time to educate, find their employment terminated in the event of a breach.
I agree. Much of the information security or CSO team’s success is predicated on the allocation of resources. As detailed in the FTC settlement, what is represented must match that which is practiced. Uber is now enjoying years of federal oversight and review of its “privacy program and for 20 years (beginning in 2018) obtain biennial independent, third-party assessments, which it must submit to the Commission, certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.”
It is not difficult to embrace the doctrine of truth, transparency, and trust by making an investment upfront in basic cybersecurity processes, event remediation, and, above all, consistent documentation processes. It is much more cost-effective than the millions of dollars in fines, loss of trust, and years of over-the-shoulder review by various entities of the federal government.
Copyright © 2022 IDG Communications, Inc.