Maintaining a solid cybersecurity posture in today’s digital world is no easy feat. It’s enough to keep those in charge of maintaining the confidentiality and availability of an organization’s data tossing and turning all night. The truth is that hackers and their tactics are becoming more sophisticated, and it can be challenging to keep up. This fact is further compounded as hackers become more collaborative in their efforts and receive greater financial backing from influential groups, including nation-states.
One of the biggest concerns for Chief Security Officers (CSOs) and other security professionals is ransomware. I know, big surprise there. It’s not only one of the most common cyber threats today, but the devastating effects of these attacks have been well documented, with victims ranging from large corporations to small businesses to critical infrastructure. We all remember Colonial Pipeline’s shutdown in 2021 due to a ransomware attack.
So, what happens when an organization gets hit with ransomware? There are only a few options.
- Option 1: Call a digital forensics and incident response (DFIR) team, secure your network, and use data backups to restore the information on your network.
- Option 2: Pay the ransom and hope the hackers have the decryption key to unlock your data.
- Option 3: Attempt to negotiate with hackers to lower the payment and hope they don’t make your information public.
Of course, these three options have variations, but you get the gist. What you absolutely do not do, however, is covertly pay off hackers, get them to sign a non-disclosure agreement (NDA), and sweep it under the rug. That is precisely what Joe Sullivan, former CSO at Uber, did in 2016.
2016 Uber Data Breach Cover-Up: What Happened?
On October 5, 2022, Joseph Sullivan, Uber’s former Chief Security Officer, was found guilty of obstructing justice and concealing a felony regarding a data breach suffered by Uber in 2016. According to an article by BBC, at the time of the 2016 breach, the Federal Trade Commission (FTC) was completing an investigation into a data breach Uber had suffered two years prior.
Sullivan received a notice from hackers informing him they exfiltrated data. The message stated that unless Uber paid the ransom, they had every intention of releasing the information on Uber drivers and riders to the public and the dark web. Not wanting to draw more attention from the FTC, Sullivan notified the current CEO and in-house legal team of the notice. They decided that they would attempt to negotiate with the hackers to delete the data and keep quiet about the incident.
Travis Kalanick, Uber’s CEO at the time, gave his okay to proceed with the plan. The negotiation dictated that the hackers would sign an NDA stating they would not disclose that they infiltrated Uber’s network and exfiltrated data. Further, the hackers would destroy the data in their possession – because we can always count on hackers to keep their word. In Exchange, Uber would pay the hackers $100,000 in Bitcoin and disguise it as an award for their “bug bounty” program. For reference, the median reward for identifying a critical vulnerability was $3,000 in 2021 – a far cry from $100,000 in 2016.
Within a year following the cover-up, Kalanick was fired for unrelated scandals, and the company appointed a new CEO, Dara Khosrowshahi. Upon learning what had happened, Khosrowshahi fired Sullivan, notified the FTC, and assisted the U.S. attorney’s office with building a case against Sullivan. While Khosrowshahi could have kept the information to himself, he wanted to highlight that things would be different under his leadership. As a result, Uber paid $148 million in fines for failing to disclose the breach in a timely manner.
What Sullivan’s Sentence Means for CSOs
Working as a Chief Security Officer, or any security professional, if we are being honest, in today’s environment is no walk in the park. To say a few mental health days are needed would be an understatement. CSOs are under pressure constantly to keep up-to-date with the ever-evolving cybersecurity threats and trends. This pressure, combined with other stressors, including lack of funding, resources, and apathetic management, can quickly lead to burnout.
As if there wasn’t enough to worry about, Sullivan’s guilty ruling now adds another layer of complexity to their position. Are they personally liable for decisions made by their organization? As previously mentioned, Sullivan did notify his CEO and legal team of the ransomware attack in 2016. They agreed that negotiation was the right move. He proceeded forward with their plan and, six years later, was found guilty of obstruction of justice.
So, is this the new precedent for security professionals? Many would say no, not exactly. While it is something to be mindful of, this case is unique because Sullivan actively tried to hide the breach from officials and regulatory bodies. He also failed to disclose that data was exfiltrated from Uber’s network.
Ransomware Negotiation Isn’t a Dirty Word
With that being said, ransomware negotiation isn’t a dirty word that can only be discussed in hushed tones. While it is not recommended, it is becoming a common tactic for organizations. This tactic is especially true for organizations with cybersecurity insurance policies that help cover these attacks.
The Federal Bureau of Investigation also states that, while not recommended, they will not pursue organizations that choose to negotiate and make a payment to release their data from hackers. That is provided the hackers are not involved with prohibited criminal groups – especially hacking groups with heavy Russian influence.
Benefits of Paying a Ransom
Paying a ransom can, in some instances, be cheaper overall and get the business back on its feet faster than attempting to restore from backups, assuming backups are even an option, or recreate unrecoverable data. In other instances, it may be the only way to keep the organization’s confidential data from being leaked to the public or dark web. According to Verizon’s Data Breach Investigations Report, the threat of exposing data jumped to 58% in 2021 – a 53% increase from 2016.
Drawbacks of Paying a Ransom
But taking this route does have its drawbacks. The most obvious drawback is that hackers often return to the scene of the crime. Once a company is identified as a paying customer, attackers seek to make them a repeat customer. Of the organizations that suffer a breach, two-thirds got hit by a cyber-attack more than once. In addition, 1 in 10 suffered an attack over ten times.
If a cyber-attack is successful, especially if payment is made, ensuring the security gaps that led to the initial breach are remediated quickly is paramount to ensure that extortionists do not use the same methods again. Attackers, however, often leave themselves multiple avenues for reinfection so companies need to thoroughly review their systems to remove methods for persistent access.
Transparency is Key
There is an expectation to “do the right thing” when a breach occurs. This statement is especially true when stolen data is on the table. Notifying the proper authorities and regulatory bodies that an incident has occurred in a timely manner is key to staying out of Sullivan’s position.
Hiding an incident is ultimately untenable. Clients and partners have seen enough companies experience ransomware and other cyber-attacks to recognize the side effects. If you go too long without responding to emails, have unexpected downtimes with key applications or services, or request logs or other investigative information from service providers, they might assume that a breach has occurred. Consequently, they will expect to hear about it from the company soon after. Excuses and lies will not build any goodwill with your client base, and certainly not with regulators.
Many compliance requirements have set strict notification timelines, including the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). For example, an organization has 72 hours, where feasible, to notify the proper authorities under GDPR. As consumer rights to privacy continue to become more prevalent, you can expect to see more privacy-specific litigation go into effect around the United States.
So, if you get hit with ransomware, don’t worry – you’re probably not going to jail. Have a DFIR team and cybersecurity attorney on call that can help you navigate the complexities that come with managing a data breach. But, whatever you do, don’t try to hide the fact that your organization was breached. Don’t be a Sullivan.