How egregious does your behavior have to be as a CISO to go to jail. Today we learn about it.
Today in health, it. A CSO. Goes to jail. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health, a set of channels dedicated to keeping health it staff current. And engaged. We want to thank our show sponsors who are investing in developing the next generation of health leaders.
Gordian dynamics, Quill health Taos site nuance, Canon medical, and current health. Check them out at this week. Health. Dot com slash today. If you're a sponsor and you're saying, boy, I want to be a part of that. Go ahead and send a note to partner at this week. health.com. We are opening up our sponsorships again. We only do it once a year, so we only talk about it once a year.
And we bring on, , sponsors in January, all new set of sponsors or same set of sponsors. If they renew. So that's, what's going on there. , you may hear the crickets in the background. I am still without internet. In fact, I got a note today. From. Comcast. And they said that the, , internet at my house will likely
For an additional week. So we will see how that plays out. It's kind of hard to do my job without the Regardless. My job is not nearly as hard as the former chief security officer. Of Uber who was convicted of federal charges for covering up a data breach involving millions. Of Uber user records. All right. So a federal jury found Joseph Sullivan, guilty of obstruction of the federal trade commission. And miss.
Prison. Ms prison. Of a felony. Hmm. I'm not exactly sure what that means. If federal jury convicted. Um, convicted Joseph. Of Uber technologies of obstruction and proceedings of the federal trade commission and Ms. Prison of felony in connection with an attempted coverup of the 2016 hack of Uber, the announcement was made at.
, by the us attorney. And special , following a four week trial before. , a judge technology companies in order to district of California collect and store vast amounts of data. From users said us attorney Hines. We expect those companies to protect that data and alert customers. And appropriate authorities when such data is stolen by hackers Sullivan.
Affirmatively worked. To hide the date of breach from the federal trade commission. And took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives, more interested in protecting their reputation. And that of their employers.
Then in protecting users. Where such conduct violates the federal law. It will be prosecuted. The message in today's guilty verdict is clear companies, storing their customer datas, have a responsibility to protect that data. And do the right thing. When breaches occur said FBI, special agent in charge trip, the FBI and our government partners will not allow road technology, company executives to put American consumers personal information at risk.
For their own gain. The circumstances regarding Sullivan's violation of Involved two separate hacks of Uber databases, one in 2014 and another in 2016. The evidence at trial established that Sullivan was hired as Uber's chief security officer. In April, 2015 at that time, Uber. Had recently disclosed to the FTC that it had been victim of a data breach in 2014.
And that the breach related to the unauthorized access of approximately 50,000 consumer personal information, including their names and driver's license numbers. In the wake of that disclosure, the FTCs division of privacy and identity protection embarked on an investigation of Uber's data security program and practices in May, 2015, the month after Sullivan was hired, the FTC served a detailed civil investigative demand on Uber, which demanded both extensive information about any other instances of unauthorized access to user personal information.
And information regarding Uber's broader data security programs and practices, the evidence at trial demonstrated that Sullivan and his new role as CSO played a central role in Uber's response to the FTC. Specifically Sullivan, supervised Uber's responses. To the FTC questions participated in a presentation to the FTC.
In March of 2016 and testified under oath at length to the FTC on November 4th, 2016 regarding Uber's data security practices. Sullivan's testimony included specific representations about steps that he claimed Uber had taken to keep that. , customer data secure. Exactly 10 days after his FTC testimony Sullivan learned that Uber had been hacked again.
The hackers reached out to Sullivan directly via email on November 14th, 2016. The hackers informed Sullivan and others at Uber that they've stolen a significant amount of Uber user data. And they demanded a large ransom payment from Uber in exchange for their deletion of that Employees working for Sullivan quickly verified the accuracy of these claims and the massive theft of user data, which included records on approximately 57 million.
Uber users. And 600,000 drivers license numbers. The evidence demonstrated that shortly after learning the Of the 2016 breach and rather than reporting it to the FTC, any other authorities or Uber's users Sullivan, executed a scheme to prevent any knowledge of the breach from breaching the FTC. For example, Sullivan told us subordinate.
That they can't let this get out, instructed them that the information needed to be tightly controlled and that the story. Outside of the security group was to be that this investigation does not exist. Sullivan then arranged to pay off the hackers in exchange for them signing a nondisclosure agreement in which the hackers promise not to reveal the hack to anyone.
And also contained the false representation. That the hackers did not take or store any In their hack, overpaid the hackers a hundred thousand dollars in Bitcoin in December, 2016. Despite the fact that the hackers. Had refused you get the picture. And I went that far in the story for a particular reason because you know, my soul went on. This is.
How does a chief information security officer pay? A hundred thousand dollars in Bitcoin. Did they have that level of authority? Two. , make that kind of payment. There's very few people in our health system who had that kind of authority that they could execute a hundred thousand dollar. , wire transfer or especially a Bitcoin payment.
Um, without the CFO, seeing it. So I think the thing that's interesting here to me, there's a couple of things. One is. Um, this is agregious. And every now and then I pull up an agregious story. This is an egregious And one that, , you know, this person should be prosecuted and Uber should be penalized to the full extent.
That they are able to be penalized. This is just a poor behavior in any security professional would tell you it's just horrific behavior. My only question is. Are we getting everybody. The chief information security officer clearly played a role. , how did a hundred thousand dollars in Bitcoin go outside of Uber?
Seems like something I would investigate and try to understand. Um, at least the, , financial practices of Uber, do they, are they normally paying people in Bitcoin? Is that a common practice? Can this person just write a check for a hundred thousand dollars and go into Expensify and expense that a hundred thousand
, you know, expenditure, I, it, it, Something's not right. Um, It just seems like. There there's more at play here, but regardless.
This will become a story. I believe that people will talk about in terms of how do you properly respond. To a hack, no matter what. Information is lost the. Proper way to respond to these things has been spelled out pretty clearly. Bye. The federal agencies that we were to disclose the information to them as quickly as we possibly can, that we were to follow protocol in terms of securing.
, the network and the information that we can, and then cooperating at every turn with the. , investigation. And obviously then letting the users know within the statutory timelines that they need to be told. So the, so what on this is, use your head. , and don't. Get sideways. With the regulation. If the regulation is there for a reason.
And you need to know the regulations. You need to follow the regulations. I don't want anyone who listens to this show. To end up in jail. Seems like a Well, hopefully I'll have my internet back by Monday, makes these shows a lot easier and it will make the recordings I had to cancel this week a little easier.
Um, we will see what happens. That's all for today. If you know someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week. health.com. Or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher. You get the picture. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders.
Courtney and dynamics Quill health A site nuance, Canon medical. And 📍 current health, check them out at this week. Health. Dot com slash today. Thanks for listening. That's all for now.