This case is setting ground work for just what and how far the FBI can pursue company employees based on how the companies handle a breach. It could have a bit impact on the tech sector.
Yes, it's highly relevant to any company that handles peoples' sensitive personal data. Here's an excerpt:
> “Institutions that store personal information of others must comply with the law,” said Acting U.S. Attorney Hinds. “When hacks like this occur, state law requires notice to victims. Federal law also requires truthful answers to official government inquiries. The indictment alleges that Sullivan failed to do either. We allege Sullivan falsified documents to avoid the obligation to notify victims and hid the severity of a serious data breach from the FTC, all to enrich his company.”
> “If Mr. Sullivan had immediately reported the breach—instead of misleading the government by withholding information—the FBI could have been better able to assist Uber; also, the data breach of at least one additional large tech company may have been prevented,” said FBI Special Agent in Charge Fair.
Are there any hints about the other “large tech company” hit by the same hackers? To be transparent to the authorities is not always easy, but in this case, it could have prevented another attack :/
> The separate guilty pleas entered by the hackers demonstrate that after Sullivan assisted in covering up the nature of the hack of Uber, the hackers were able to commit an additional intrusion at another corporate entity—Lynda.com—and attempt to ransom that data as well.
> In early 2021, the podcast began releasing a series of episodes called "The Test Kitchen", which covered allegations of structural racism and a toxic work environment at the food magazine Bon Appétit. After the second episode aired, accusations came out about similar toxicity present in Reply All and Gimlet as a whole. On February 17, 2021, both Vogt and Pinnamaneni announced they were leaving the show.
I have a feeling companies in the US will have difficulty filling CISO roles without offering golden parachutes (which kick in if the CISO is let go after disclosing a breach) in future.
In cases of breaches there will often be commercial pressure in a company not to disclose (to avoid financial impact)
With personal criminal liability being a possibility for the CISO they are then placed in the position of disclose regardless of internal pressure (risking their job) or don't disclose (and risk criminal prosecution)
Whistleblowers are protected from retaliation due to disclosure by law (they don't need to risk their job), I'm not sure a golden parachute would afford much extra protection.
I would argue the golden parachute is better, since it leaves both parties in a state of resolution. A whistleblower law may provide legal coverage but it is not difficult to imagine the social pressure being applied afterwards to someone who "stirs up a mess"
It’s worth a shot. I agree with you the laws are there not just in America but in a lot of countries. However the facts are fairly clear on the ground that whistleblowers suffer miserably. Then only some after an ungodly amount of time are hailed as hero’s.
That's one of the great parts of GDPR, disclosures are mandatory and DPOs are personally responsible for disclosure, so they have to do it regardless of internal pressure.
I recently interviewed for a CISO role with an explicit “no fault” separation and payout clause in the event of a breach that occurred and required reporting despite security best practices/efforts to avoid. It’s already a thing, and seems to be a given that the CISO is a sacrificial role.
Not sure why you would even take the risk of keeping on someone who was previously indicted by the Department of Justice if trust is of high value to your company.
Does anyone else find it odd that often press releases are highly upvoted on HN (as opposed to a news article on the subject)? I understand it's source material, but the objectivity you will find in a press release is almost certainly less than you will find in a good news article.
In a criminal case like this, the other side is unlikely to say anything very specific in their own defense, to avoid jeopardizing their case in court. So the press release is most of what a news outlet will have to go on.
It’s an indictment so it’s really the only (palatable) side available right now. The person indicted is unlikely to give a statement because anything they say could harm their defense. Their attorneys certainly will not speak in any substantive way. That leaves media outlets with options like ‘contact their grandma’ to try to get a statement.
Some journalists will try stuff like that, but that’s arguably worse than a press release.
This case has implications across the board for CISOs that have to deal with incidents like this. I believe this case also dealt with a payout for a "bug bounty".
If you're interested, the congress hearing is here. That hearing is still the primary source for this story. It's worth some time - some journalists have tried to cover this but mostly just cherrypicked quotes. The entire hearing is better than any of the coverage.
You can watch the hearing on that page (it's more interesting to watch than to read) or find links to the various witnesses and their testimony. For example, if you want to read John Flynn's testimony, it is available here (.pdf):
This isn't really a "press release" of the type that usually annoys me, this is the release of the indictment from the justice department involved. It's pretty detailed. I'm sure we'll get the balanced news at some point, but I'm sure even Uber (the new management mentioned in the release as having published the hack) will avoid getting involved in this other than to say something like "check the release, you'll see we co-operated as soon as we found out".
So, even in the US wiping your breaches under the carpet is no longer an option. The GDPR explicitly deals with this, unfortunately it still leaves some room for lawyering by not making explicit what a reportable breach is. Any breach should be a reportable breach, that would get rid of the gray area. But great to see the the justice department deal with this in a way that is responsible towards the victims of the breach, accountability of management is a good first step in the right direction.
Yes. So the loophole is that if a company can plausibly claim that they didn't know any personal data was taken (for instance: by not having logs, which in practice leads quite often to 'hmmm, what if we no longer had logs') that they can pretend it didn't happen. Which of course is super dumb because if in due course it turns out that personal data was taken and that evidence was removed then you are really in trouble.
Which is why I'm arguing for reporting any breach, not with a threshold of type or quantity of data stolen. If you had a breach and you believe that no data was taken you should still be required to report it and if it turns out that you have made evidence of a breach disappear that should automatically trigger the worst penalties under the law.
Yes. The PII of all citizens of EU countries isn't leaked out there ( there have been country-wide breaches like in Bulgaria, but it's the exception), and when leaks do happen, people learn about them quickly and the companies get fined if they were at fault/handled it badly.
Oh, and EU PII is drastically less useful. Most countries in the EU have national ID systems, which are used and required for anything important ( like a new bank account or loan). A bad actor could still use PII for social engineering though.
What was the upside of lying here? Seems like getting hacked is pretty common these days and I'm not surprised at all if some product I'm using tells me that they leaked my PII.
Why not just reveal the breach? Why risk going to jail just to avoid looking bad in your job? I don't think they would have even let him go because of this.
You know he was pulling down big $$'s and he is very high profile- with a breach like that it most likely would have put his job at jeopardy, not to mention its not going to look good on a resume.
The one thing I haven't understood is just what the value was of the non-disclosure agreement he asked the hackers to sign? Even if you abstract away that they are hackers who illegally accessed your data, apparently they were first signed... before??... Uber knew their real identities? So, what on Earth would a signature on a piece of paper from random internet aliases possibly accomplish?
"If Mr. Sullivan had immediately reported the breach—instead of misleading the government by withholding information—the FBI could have been better able to assist Uber; also, the data breach of at least one additional large tech company may have been prevented,” said FBI Special Agent in Charge Fair. "
NOTE: So, if you are black-mailed by hackers and pay you now go to federal prison. The only way to play with the hackers is not work with the FBI (obviously). I understand the 'anti-uber hn hate' here, but wow, being attacked by hackers, then getting scared, playing along, paying out blackmailers, then going to federal prison? Wirefraud could be 20 years in federal prison. This guy is worse than a rapist? Not following.
Also. If the FBI wants to talk to you - get a lawyer, they have no interest in "assisting" you. They do enjoy posting your name on "www.justice.gov" to permanently destroy your career though. Never, ever, ever talk to the FBI
Wirefraud could be 20 years in federal prison. This guy is worse than a rapist?
Wire fraud that destroys someone's life savings (i.e. on the Madoff scale) can be arguably put in the same ball park as a sexual assault, in terms of net damage inflicted. Plus wire fraud has the potential to inflict damage on large numbers of people. So that's probably what the maximum penalty is motivated by. (Whether the maximum applies in this case is a separate matter).
Being attacked by hackers, then getting scared, playing along, paying out blackmailers, then going to federal prison?
What you're allegedly paid for as a CSO, or chief-anything of a large publicly traded company (and at a level astronomically higher than that of your rank-and-file muscle workers who you won't even dignify as "employees") is your awareness of the law (or at least the minimal sense to ask a lawyer), and your ability to not shit your pants in these situations -- but to act rationally.
I thought it was really interesting that Mr Sullivan is a former US Attorney. Surely he would have known he was putting himself in significant legal jeopardy, no?
"Uber’s new management ultimately discovered the truth about the breach and disclosed the breach publicly, and to the FTC, in November 2017."
This is so weird. Did the "old management" aka TK and Thuan Pham know about this and instruct that guy to pay $$$ and keep quiet? Sounds like it? Or did he pay the ransom secretly out of his own pocket?
So maybe it's someone else that should be held accountable and the "new management" is just throwing the CSO under the bus?
reply