Former Uber CISO, Joe Sullivan, is appealing his conviction in relation to the 2016 data breach that occurred during his time as Uber’s CEO. Prosecutors charged Sullivan with withholding information about the breach from the FTC, even as the agency was investigating Uber’s data security and privacy practices. They also accused Sullivan of attempting to conceal the breach by paying $100,000 to the hackers responsible. Sullivan’s lawyers argued that the payment was made with the knowledge and approval of Uber’s CEO at the time, Travis Kalanick. Many in the industry believe that Sullivan was unfairly singled out and that the blame should extend to other executives as well.
Sullivan’s case has sparked a debate about the role of CISOs and whether they are being scapegoated for broader security failures within their companies. Many argue that Sullivan acted with the knowledge and support of his supervisors, making him not solely responsible for the breach and its associated failures. They believe that if Sullivan is held accountable, other executives, such as Kalanick, should also face consequences. Sullivan’s lawyers have raised this argument in their appeal, highlighting that over 30 of Sullivan’s co-employees had information about the breach but were not similarly charged.
While there is sympathy for the view that Sullivan was scapegoated, there is also a belief that executives should be personally liable for their company’s actions. However, without sufficient knowledge of the case’s details, it is difficult to form an opinion on this specific situation.
Key points:
1. Former Uber CISO, Joe Sullivan, is appealing his conviction in relation to the 2016 data breach.
2. Prosecutors accused Sullivan of withholding information from the FTC and attempting to conceal the breach by paying the hackers responsible.
3. Sullivan’s lawyers argue that the payment was made with the knowledge and approval of Uber’s CEO at the time, Travis Kalanick.
4. The case has sparked a debate about the accountability of CISOs and whether they are being scapegoated for broader security failures.
5. Many believe that if Sullivan is held responsible, other executives should also face consequences.
