Former Uber CSO avoids jail time over breach coverup. Cyber insurers lose over act of war exclusion. CISA warns over suspect communications suppliers as Cisco tells customers to ditch vulnerable kit.
By Joe Fay
Ex-Uber CSO Joe Sullivan Gets Fine, Probation but No Jail Time For Data Breach Coverup
Uber’s former chief security officer Joe Sullivan has been spared jail for his role in covering up a 2016 data breach at the ride sharing giant. Sullivan was instead hit with a $50,000 fine, three years’ probation, and a 200-hour community service order, despite prosecutors pushing for a 15 month prison term.
The case concerned a data breach at Uber in 2016, that exposed data of 57 million users and 600,000 drivers. A jury last year found Sullivan guilty of obstruction of justice, for actively concealing the breach from FTC officials investigating an earlier breach at the firm. He was also found guilty of concealing a felony, by paying $100,000 to the two hackers responsible for the breach to keep quiet. The payment was presented as a “bug bounty”. Sullivan’s actions came to light when Dara Khosrowshahi became Uber CEO in 2017, replacing Travis Kalanick, and informed regulators.
Prosecutors had asked Judge William Orrick to give Sullivan jail time, in part to encourage other security execs to do the right thing. Sullivan himself is a former DoJ cybercrime prosecutor. Orrick demurred this time around, but reportedly said, "If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison."
US Court Rules Against Insurance Firms Over “Act of War Exclusion”
Pharmaceutical giant Merck has won the latest round in a court case with its cyber insurance providers stemming from its 2017 infection with the NotPetya malware. The firm’s insurance providers had argued that as NotPetya was attributed to threat actors linked to the Kremlin, the havoc caused at Merck should be considered an “act of war”, and that they should not have to pay out. Last week a New Jersey appellate court upheld an earlier ruling that the insurers had taken an overly broad interpretation of what constitutes a “hostile/warlike action” and the exclusion clause couldn’t be invoked. It’s unlikely the case will stop in the appeal court.
CISA Highlights “FCC Covered List” Of Suspect Comms Suppliers
CISA has urged organizations to sit up and take notice of the “FCC Covered List” when working out risk management plans. The FCC’s list sets out communications equipment and services “that have been determined by the U.S. government to pose an unacceptable risk to the national security of the U.S. or the security and safety of U.S. persons to national security”. The list consists of ten providers in total, all of which have China links, except for Russia-based AO Kaspersky Lab.
Trend Micro Dials Down Cyber Risk Level
Trend Micro has reset its Global Cyber Risk Index to “moderate” for the second half of 2022, down from “elevated” in the first half of the year. The index was set at +0.01, an improvement on the previous period’s -0.15. Trend said that organizations globally were better prepared for cyber-attacks. Organizations also considered the threat landscape as having improved, something Trend suggested could be down to an apparent drop in ransomware in the second half of 2022. By region, North and South America appeared the least prepared for cyber threats.
UAE Cyber Security Agency Fends Off All Known Threats
The head of the United Arab Emirates Security Council said last week that together with its partners, it deals with 50,000 cyberattacks a day but countered them all “proactively and efficiently. Mohammed Hamad Al Kuwaiti said the county’s banking, finance, health, and oil and gas sectors were the most targeted. He was speaking at the Oracle CloudWatch Tour in Abu Dhabi, where the UAE and Oracle extended an existing cooperation agreement, including sharing information on risks.
Cisco Tells Customers with Flawed Adapter – Just Dump It
Networking giant Cisco has warned of a critical flaw in its SPA112 2-Port Phone Adapter – but said it has no intention of issuing a fix and that affected customers should just dump the kit in question. A missing authentication process within the kit’s firmware upgrade function means an attacker could craft a version of firmware which would allow them to execute arbitrary code on the affected device with full privileges. Cisco said it would not release an update, despite the product’s earlier end of life notice stating the last date of support as May 31, 2025. The flaw was flagged to Cisco by Chinese firm, Dbappsecurity Co., Ltd.