Who watches the watchers? Thoughts about the Uber breach

According to Bloomberg, about a year ago hackers stole the personal data of 57 million Uber customers and drivers. After finding out about this breach, Uber leaders not only decided against disclosing it to employees, customers and state and federal regulators but also paid $100,000 to the attackers to keep it a secret. 

The truly scary thing here is that Uber paid a bribe, essentially a ransom, to make this breach go away and acted as if they were above the law. The people responsible for the integrity and confidentiality of the data, in fact, covered up the breach. To all outward appearances, Dara Khosrowshahi, Uber's new CEO, and the company's management team are doing the right thing and making the difficult choices. However, difficult consequences still have to follow. And above all, this is a wake-up call to the security industry that CSOs have a responsibility not just to the companies they work for, but for the people whose data is affected. In other words, Joe Sullivan, Uber's CSO who lost his job over this incident, and crew should have acted in the interest of the public good and public safety and made tough choices far, far sooner.

It's time to not let another breach on the scale of Equifax or Deloitte happen and to leave no gray area to security officers as to what the right thing to do is.

I'd like to convey this message:

To Uber CEO Dara Khosrowshahi (and the board)

I am encouraged by the approach you're taking. Companies can be heroes or villains but not victims. You are facing this, being open and transparent and so far appear to be trying to do the right thing. This generally shouldn't be remarkable, but it is in your case because you are in your opening phase of the new role (Khosrowshahi took over as CEO in September) and because you've found rot in the system. Let me just say: keep going. The messenger should not be shot, but keep up the courage and forward motion. For Uber to survive you must make it clear that you will do the right thing no matter how hard it is. If you do that, the brand will survive and do better. Shine the light on the dark places, and we will collectively respect you, and you will make Uber stronger.

We as an industry and individually are here if you need us, but you are blazing a new path that is important.

To former Uber CSO Joe Sullivan

What were you thinking? I am not on the inside at all, of course, but from the outside, this is looking ugly. The truth will come out in the end, and I can only hope that you made a poor and ill-formed decision rather than consciously doing the wrong thing. Your actions have hurt the public trust and Uber and have set our industry back 10 years. Don't cover anything else up. Please be open. Please help set the right moral course for future CSOs in your position to choose the right path and take brave stances.

To the security industry as a whole

I've written in the past about the lack of alignment between security and the business, but the takeaway for me is that this actually isn't the "nirvana" or the ultimate state. We aren't here to just pursue alignment to the business but are also becoming responsible for being the advocate, voice and even defender of the trust placed in companies. Data is a privilege, not a right. In many ways, there is a responsibility to do no harm to those that a company is fortunate enough to hold data on the behalf of. The security and privacy officers of companies are, of course, responsible for mitigating risk for shareholders around confidentiality, integrity and availability of data. But it's also time to recognize that we  are also the advocates of third parties who are vulnerable or exposed by virtue of a company's digital footprint, and we have responsibilities to public safety and public trust.

To fellow cybersecurity practitioners

Let no good crisis go to waste. Now's the time to set up a risk dialog with the business. Also, have the tough discussions about what responsibilities you have and to whom: what would and should you do in Joe's position when it comes to you. Have you done the hygiene right? Are you recoverable in a similar disaster? Are you ready for the tough decisions? What will your moment in the eye of a breach bring to the fore? I've been there and I know exactly what I will do; and so should you. Now.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry