cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

A brand new stick: The trial of ex-Uber CISO Joe Sullivan

Joe Sullivan will never be a household name. He is, however, about to embark on a journey that will explore exactly where the responsibility of chief information security officers (CISO) begins and ends, Andrew Wilson of Senetas, writes. For obvious reasons, Sullivan should become a household name among cyber security professionals.

user iconAndrew Wilson
Wed, 28 Sep 2022
A brand new stick: The trial of ex-Uber CISO Joe Sullivan
expand image

Sullivan is set to go to trial in the United States for his actions as the former CISO of ride-sharing app Uber in 2016, when the company was held to ransom by unnamed hackers.

The news of the criminal trial going ahead means that Uber, and its former CISO, has managed to collect virtually every possible negative outcome from a single data breach: financial penalties, a loss of reputation, extensive remediation costs, civil litigation and now, criminal proceedings.

Notably, Sullivan faces criminal charges for two specific reasons: first, it’s alleged that under his direction, Uber attempted to conceal the privacy breach of 57 million driver and rider accounts for over a year. Second, they paid the hackers $100,000 to delete the data and keep quiet about it thanks to a signed non-disclosure agreement.


Significantly, under the US federal and state privacy laws, penalties for failures to comply with data breach notification requirements may also include criminal charges. At this point, it’s important to note that after these events, Uber appointed a new CEO who fired Sullivan and promised better cyber security standards.

There is much speculation around the fallout of this criminal trial. It’s safe to say most CISOs would have paid the ransom in Sullivan’s position. According to Enterprise Security Group research, in Australia, close to nine out of 10 of organisations in ransomware situations pay the ransom. But paying the ransom itself is unlikely to be the issue.

It’s also very difficult to distinguish this action from the bug bounty program currently run by some of the world’s largest tech companies. Ultimately, you’re paying someone a reward because they went out of their way to find a way to commit a crime — i.e. accessing your valuable data without an invitation.

For this reason, it is unlikely that this action will be under scrutiny. Rather, it is the decision to conceal the payment for over a year and the secretive arrangement with the hackers that is likely to be the focus of the trial.

A fix five years in the making (and counting)

There are some painfully obvious lessons to be learned here, with the benefit of five years of hindsight. Timely disclosure should be part of the response plan in event of the breach. Strong encryption of all data is mandatory. Zero-trust architecture should be implemented. Learn from others’ mistakes.

Except, to me at least, little seems to have changed over the past five years. Organisations around the world continue to suffer devastating data breaches. The solutions and mitigations to these ransomware breaches are out there. They are the carrots, and too few CISOs are pushing hard enough for their implementation.

Which is why Sullivan’s criminal prosecution is gathering such international attention in our industry. It threatens for the first time, since the European Union’s tough General Data Protection Regulation (GDPR), a new stick with which to galvanise action towards best practices. However, the GDPR stops short of holding individuals accountable for their response to a breach.

The world of cyber security should be watching Sullivan’s trial very closely. A criminal stick for the CISO would be a massive change to the way we all work.

Andrew Wilson is the CEO at Senetas.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.