7 security failures that should be seen as a learning opportunity for CISOs
According to Radware’s 2018 State of Web Application Security report, 23% of companies reported executive firings related to application attacks. US companies were more likely to say execs were let go after an incident, as were companies in the technology or financial services sectors.
While the CISO is not always let go - Kaspersky reports that senior non-IT employees are laid off at 27% of enterprises (those with over 1,000 employees) that suffer a breach – their positions can often be at risk if there were clear security failures. A Nominet survey of over 400 CISOs in the US and UK conducted by Osterman Research found that 6.8% of CISOs in the US and 10% in the UK believed that in the event of a breach they would lose their job. Just under 30% of survey respondents believed they would get an official warning.
Here are 7 major security incidents that cost security leaders their jobs in recent years -
1. Capital One
In July 2019 Capital One announced an attacker had gained access to the personal information of over 100 million customers. The bank learned of the attack months after the fact thanks to a tip-off from a security researcher. The suspected attacker, a former Amazon employee, reportedly took advantage of a misconfigured firewall. The company has said it expects the incident to cost it between $100 million and $150 million -- mainly for customer notifications, credit monitoring and legal support -- in 2019 alone.
In November the Wall Street Journal reported that Capital One had replaced Michael Johnson, the firm's CISO since 2017, with the company’s CIO, Mike Eason, while it looks for a full-time replacement. Johnson continues at Capital One as an advisor focused on helping direct the bank’s response to the data breach.
2. Equifax
In 2017 Equifax was compromised via an unpatched consumer complaint web portal. This led to some 143 million customer records – including names, addresses, dates of birth, Social Security numbers and driver's license numbers – being stolen.
As well as a lack of patching, the attack went undetected for months due to the company’s failure to update a certificate on an internal security tools. The company then failed to publicize the breach for over a month after discovery. The US House of Representatives Committee on Oversight and Government Reform called the incident “entirely preventable,” while the US Senate Permanent Subcommittee on Investigations accused the company of a “neglect of cybersecurity.”
The aftermath handling was also poor. The company’s social media team sent out the wrong URL for handling the incident, while the dedicated site itself was poorly secured. To compound matters, Jun Ying, CIO of Equifax U.S. Information Solutions was jailed for four months and fined $55,000 for insider trading in the wake of the breach but before the company had made the incident public.
The cost of the incident is estimated to be $1.35 billion. The company paid $575 million (potentially rising to $700 million) with the Federal Trade Commission and others. The company then admitted the fund set up from that settlement was due to run out because too many people opted for money rather than free credit monitoring.
Both CSO Susan Mauldin and CIO David Webb left the company in the weeks after the breach. Equifax CEO Richard Smith also retired in the wake of the breach. Mauldin was replaced by interim CISO Russ Ayres (previously Equifax’s vice president of IT) before Jamil Farshchi took up the role permanently having previously served the role at Home Depot, Time Warner and the Los Alamos National Laboratory.
3. Uber
In late 2017, ride-hailing company Uber revealed the data of 57 million riders and drivers had been stolen, including names, email addresses, phone numbers and driver's license numbers. Attackers reportedly accessed Uber’s private GitHub code repository – which the company has since admitted didn’t have multifactor authentication enabled – and used login credentials stored there to access the company’s AWS S3 instances.
While that would be bad enough, this breach had occurred over 12 months earlier and the company’s CSO Joe Sullivan was reportedly involved in a cover-up that included handing over $100,000 to the attackers - which was disguised as a bug bounty pay-out - in exchange for deleting the data without releasing it. The news was only made public after new CEO Dara Khosrowshahi had come aboard, despite the company having previously run afoul of the FTC for failing to disclose a data breach in 2014 (before either he or Sullivan had joined the company).
“You may be asking why we are just talking about this now, a year later,” Khosrowshahi said in a statement announcing the breach. “I had the same question. None of this should have happened, and I will not make excuses for it.”
Sullivan, who had previously served as Facebook’s CSO for five years, was fired from Uber after two and a half years at the company as a result. He has since joined Cloudflare as the company’s CSO.
4. Facebook
Not all CSOs leave because of specific incidents. Alex Stamos, Facebook’s CSO since 2015, left after three years in charge of security at the company to take a position at Stanford University after reportedly disagreeing with the company’s handling of the Cambridge Analytica scandal. Stamos apparently favored a more open and direct response in disclosing what the company knew rather than slow and reluctant admission. He later told MSNBC that it was a “big mistake” that the company wasn’t more forthcoming about the severity of the incident.
“Nobody lied, and nobody covered anything up,” he said, “but I feel like the initial way that these things were communicated really set the bar of whether or not a company was going to be seen as part of the solution or part of the problem. Facebook didn’t take that opportunity to say, ‘we’re part of the solution.'”
Stamos has since said that Facebook CEO Mark Zuckerberg has too much power at the company and should stand aside. Previously he had resigned from Yahoo! after the company built a tool for US intelligence officials that could scan users’ Yahoo Mail email accounts.
The social media company announced that it would not be replacing Stamos and instead had embedded its security engineers, analysts, investigators and other specialists into its product and engineering teams to “better address the emerging security threats” the company faces.
5. Target
The 2014 attack on US retailer Target is still spoken about today because it was one of the most notable cases of a successful supply chain attack — hackers exploited poor security in an HVAC vendor to compromise Target’s payment systems and steal the payment details of some 40 million customers attack over the Christmas period in 2013.
CIO Beth Jacob left Target in the months following the attack as the company overhauled its security posture and appointed its first CISO, former GE CISO Brad Maiorino, shortly afterwards. Jacob has since gone on to have roles at supply chain management provider SPS Commerce and Tivity Health.
As often happens in high profile attacks, Target CEO Gregg Steinhafel resigned from all his positions in the months following the breach (though the company’s failed expansion in Canada was reportedly also a factor). Other CEOs to leave in the wake of cybersecurity incidents include Sony CEO Amy Pascal and Austrian aerospace firm FACC’s CEO Walter Stephan following a successful BEC scam.
6. JP Morgan
2015 saw both JPMorgan Chase's CSO Jim Cummings and CISO Greg Rattray reassigned to new positions within the bank in the wake of its 2014 breach of over 83 million accounts in the US, including names, email and postal addresses and phone numbers. Cummings was reportedly reassigned to work on military and veterans housing initiatives for the bank. Rattray was made head of global cyber partnerships and government strategy and replaced as CISO by former Lockheed Martin security executive Roham Amin.
7. San Francisco State University
In 2015 Mignon Hoffman, information security officer at San Francisco State University, was reportedly fired for what she viewed as an attempt to sweep a 2014 breach of student records “under the rug.” She sued for wrongful termination and whistleblower retaliation, seeking over $1 million in lost pension, lost earnings (past and future) and emotional distress.
In 2014 Hoffman was informed by an outside party of vulnerability in a university Oracle application server. Information listed as compromised in court documents include “data on current and past students, financial aid, financial transactions, accounts receivables and interfaces to housing as well as campus wide account management and password reset function.”
She alleged that previously recommended improvements to the Oracle database security were rejected by her superiors due to budget constraints and IT security risk acceptance, and in the wake of the incident the interim CIO didn’t want to report a security breach “on his watch” and sought to “avoid reporting supporting information that might lead to a breach disclosure.”
The university confirms there was a security incident in which information that was publicly available was potentially accessed. Because it claims there was no breach of personal data, students were not notified as the university felt students had no reason to be concerned about their personal information. The university denied her termination was related to the security incident. The case was later settled out of court.
(The article was first published in CSO online and is authored by Dan Swinhoe)
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.