Home SecurityData Breach Uber CISO’s trial underscores the importance of truth, transparency, and trust

Uber CISO’s trial underscores the importance of truth, transparency, and trust

Source Link

Truth, transparency and trust are the three T’s that all CISOs and CSOs should embrace as they march through their daily grind of keeping their enterprise and the data safe and secure. Failure to adhere to the three T’s can have serious consequences.

Case in point: A federal judge recently ordered Uber Technologies to work with its former CSO, Joseph Sullivan (who held the position from April 2015 to November 2017), and review a plethora of Uber documents that Sullivan has requested in unredacted form for use in his defense in the upcoming criminal trial.

The case against Uber’s former CSO

By way of background, Uber’s former CSO faces a five-felony count superseding indictment associated with his handling of the company’s 2016 data breach. The court document, filed in December 2021, alleges Sullivan “engaged in a scheme designed to ensure that the data breach did not become public knowledge, was concealed, and was not disclosed to the FTC and to impacted users and drivers.” Furthermore, the two individuals, who are believed to have affected the hack and subsequently requested payment for non-disclosure ultimately received $100,000 from Uber’s bug bounty program. These individuals were identified in media as, Vasile Mereacre, a Canadian citizen living in Toronto, and Brandon Glover, a Florida resident, both of whom were later indicted for their breach of Lynda (a company acquired by Linkedin).

Uber’s late breach notification

It would be November 2017, when the new CEO, Dara Khosrowshahi provided context surrounding the breach and acknowledged that the advisory from the company was a year late.  Apparently, the discussion in the house at the time of the breach cataloged the event as a “bug bounty” payout and not a breach, and thus no need to disclose it. Semantics or subterfuge, the subsequent settlements, and Khosrowshahi’s statement indicate the latter may be at play.

The breach included names, email addresses, and mobile phone numbers of 57 million Uber users around the world, which included 600,000 of the company’s drivers’ names and license numbers. Included within the statement was the revelation of how two individuals associated with the breach incident response had been terminated that same day (no names provided).

Meanwhile, in September 2018, California, the San Francisco attorney general, and the California state attorney general announced a $148 million nationwide settlement “resolving allegations that Uber Technologies, Inc., violated state data breach reporting and reasonable data security laws.” The settlement included specific actions and reforms within Uber.

Copyright © 2022 IDG Communications, Inc.

Related Articles

Leave a Comment