Ex-Uber CISO Advocates Personal Incident Response Plan for Security Execs

Why Joe Sullivan feels paying off attackers was a way of solving the problem.

BLACK HAT EUROPE 2023 – London –
Former Uber CISO Joe Sullivan last week shared new details about the
2016 data breach at the company
that led to his firing from Uber and, later, felony charges.
In a keynote address at Black Hat Europe, Joe Sullivan admitted

he avoids listening to webinars and programs that lead with the theme of how to avoid turning out like Joe. In an
interview with Dark Reading
, Sullivan said he had to listen to and see my name in the media saying things about me that I knew werent true.
Sullivan was in his second year as CISO of Uber when attackers stole 57 million user and driver accounts, including names, phone numbers, email addresses, and more than 600,000 US drivers license numbers.
After the attackers alerted Uber about the breach and before Uber notified the authorities, the attackers were paid a $100,000 settlement — which Sullivan characterized as
a bug bounty,
where the attackers signed a nondisclosure agreement (NDA) about the incident. Uber CEO Dara Khosrowshahi later
fired Sullivan
, arguing that Sullivan had misled him about the breach, calling Sullivans decision not to disclose the wrong decision. At the time, Uber had ordered Sullivan either to resign or be fired from his role.
In 2020, when Sullivan was CISO at Cloudflare, he first learned of his pending arrest in the case when his daughter called him, asking, Are you in jail right now? after one of her friends heard a news report that Sullivan had been arrested.
Sullivan was charged with two counts: obstruction of justice specifically related to a Federal Trade Commission (FTC) investigation

of Uber, and
misprision of a felony
, where he was accused of covering up a felony. The
FTCs statement said that Sullivan allegedly
executed a scheme to prevent any knowledge of the breach from reaching the FTC.
That statement said contracts drafted by Sullivan and a lawyer assigned to his team falsely represented that the hackers did not take or store any data in their hack, and that Sullivan continued to work with the Uber lawyers handling or overseeing the FTC investigation, including the General Counsel of Uber. But the FTC says it was
not notified
about the breach or payment until 2017.
On the misprision of a felony charge, Sullivan said that the attackers violated
18 USD 1030
, related to accessing a computer without permission. However, he argued, there is typically a contractual relationship between a vulnerability researcher and the company whose network they test — usually executed via third-party companies like HackerOne and Bugcrowd.
He noted that these relationships were not common in 2016, so anyone who conducted hacking research into an organizations systems was committing a felony.
Sullivan is appealing
: His attorneys argue that upholding the second charge could
criminalize the use of bug bounty programs
and create a precedent that threatens to take away a valuable tool.
Sullivan said he had always promoted responsible disclosure policies — going back to his role with eBay in the 2000s, when he encouraged testers to reveal details of vulnerabilities they found. You want all of the information you can get, and you realize if you have to pay to get results;

[the results are] better than [from] all of the pen-testing companies, he told attendees at Black Hat Europe.
But that $100,000 payment and NDA haunted Sullivan and Uber: In the federal trial in May of this year, Sullivan was accused of using the NDA as a cover-up. He said in his keynote here that he believed the NDA was a way of solving the problem and of resolving the breach.
Sullivans lawyers
made the case
that Sullivan issued the payment to the hackers with the full knowledge and blessing of Travis Kalanick, Ubers CEO at the time of the breach, as well as that of members of the Uber legal team.
The

judge asked the prosecutor why the CEO of Uber had not been held accountable as well, saying that the CEO was just as culpable as Sullivan yet was not in court, and that Sullivan alone was being held responsible.
Sullivans experience with the Uber breach and its legal fallout has led some security professionals to consult with Sullivan for career advice. He now often gets approached by security professionals who are interviewing for their first CISO

appointment. He said where they once asked for his advice on What do I say to get the job? but now, due to his legal case and the SEC
filing charges
against the SolarWinds CISO, he gets questions like Why would I take on all of that personal risk? and Is the CISO role worth the stress?
Sullivan told Dark Reading that those security executives have been seeking his advice since that first headline in 2017; I get contacted on a weekly basis by people in the role who are worried about an incident going down at their place, or those who are thinking ahead.
He advises security professionals to be sure they have the right personal protections in place so they are prepared for the potential fallout of a data breach.
In one recent conversation, he recommended that the security professional accept a CISO job offer but to first talk with the general counsel and the CEO of the company to make sure they understand the nuances of attacks, vulnerability, and breach disclosure.
He also recommended creating a personal incident response plan and to consider how you would survive a breach personally. Look at your own legal representation, insurance, and plans for your family, he said.
As a strategy for preparing and surviving a breach, Sullivan used the analogy of a fire department. While [one] team is putting out a major fire, at the fire station youll see another team asleep [and] youll see another team polishing the engine.
Fire departments plan ahead and have reinforcements, he pointed out, and I think we have to do a better job building our own fire departments on our teams, and we have to get better at communicating internally. We have got to make more friends.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ex-Uber CISO Advocates Personal Incident Response Plan for Security Execs