In July, SolarWinds CISO Tim Brown and CFO Bart Kalsu received Securities and Exchange Commission notices of potential enforcement action over alleged violation of securities laws. The issue stems from their response to the Russian hack of the Orion network monitoring software in 2020 — a product used by more than 30,000 organizations. This isn't the first high-profile instance of a chief information security officer facing individual scrutiny for decisions affecting their organization.
Everyone makes mistakes. But what if your mistakes cost you tens of thousands of dollars in fines, see you facing jail time, or risk the security of millions of other people? Companies now access and handle more personal data than ever before. And regulators are reexamining the significant responsibility that brings. Ranging from negligence to deliberate cover-ups, here are two other cases from recent years, involving Uber and TSB.
In May 2023, former Uber chief security officer Joe Sullivan was sentenced to three years' probation and given a $50,000 fine for covering up a massive 2016 data breach at the ride-sharing giant. Sullivan started as Uber's chief security officer in 2015. At the time, the company had recently disclosed a 2014 data breach that compromised about 50,000 consumers' personal information, leading to an FTC investigation. Shortly after, Uber was hacked once again. This time the hackers contacted Sullivan directly. About 57 million users had their data stolen.
According to the US Department of Justice (DOJ) release covering the charges, "Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC." He paid the hackers $100,000 in exchange for them agreeing not to disclose the hack.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
