7 Security Incidents That Cost CISOs Their Jobs
Capital One
CapitalOnebank data hacked
The attack on Capital One, on July 2019, granted access to over 100 million customers’ personal information. Information disclosed after the attack stated that the suspected attacker, a former Amazon employee, reportedly took advantage of a misconfigured firewall. The company earlier said that it expects the incident to cost between $100 million and $150 million, which was for customer notifications, credit monitoring, and legal support.Wall Street Journal reported in its November publication that Capital One had replaced the firm’s CISO, Michael Johnson, since 2017, with the company’s CIO, Mike Eason, while it looks for a full-time replacement. Johnson continues at Capital One as an advisor focused on helping the bank direct its response to the data breach.
Equifax
Equifax Customer data hack
Equifax was compromised in 2017 via unpatched consumer complaint web portal. This led to the loss of 143 million customer records, including names, addresses, dates of birth, social security numbers, and driver license numbers.This was because the company’s social media team sent out the wrong URL for handling the incident, while the dedicated site itself was poorly secured.The cost of the incident is estimated to be $1.35 billion. In the end, the company paid $575 million to the Federal Trade Commission and others.
Uber
Uber riders and drivers data hacked
Uber in 2017 revealed the data of 57 million riders and drivers been stolen. This includes names, email addresses, phone numbers and driver license numbers. Attackers reportedly accessed Uber’s private GitHub code repository which Uber admitted that the multifactor authentication was not enabled.While that would be bad enough, this breach had occurred over 12 months earlier. Sullivan, who had previously served as Facebook’s CSO for five years, was fired from Uber after two and a half years at the company as a result of the incident.
领英推荐
Alex Stamos Facebook’s CSO
Alex Stamos, Facebook’s CSO since 2015, left after three years of being in charge of security at the company to take a position at Stanford University after reportedly disagreeing with the company’s handling of the Cambridge Analytical scandal. Stamos apparently favored a more open and direct response in disclosing what the company knew rather than slow and reluctant admission.The social media company announced that it would not be replacing Stamos and instead had embedded its security engineers, analysts, investigators and other specialists into its product and engineering teams to “better address the emerging security threats” the company faces.
Target
The 2014 attack on US retailer, Target, is still spoken about today because it was one of the most notable cases of a successful supply chain attack. Hackers exploited poor security in an HVAC vendor to compromise Target’s payment systems and steal the payment details of over 40 million customers during the Christmas period in 2013.
JP Morgan
J P Morgan account breach
2015 saw both JPMorgan Chase’s CSO, Jim Cummings, and CISO, Greg Rattray, reassigned to new positions within the bank in the wake of its 2014 breach of over 83 million accounts in the US, including names, email and postal addresses and phone numbers. Cummings was reportedly reassigned to work on military and veterans housing initiatives for the bank. Rattray was made head of global cyber partnerships and government strategy and was replaced as CISO by former Lockheed Martin security executive, Roham Amin.
San Francisco State University
In 2015, Mignon Hoffman, information security officer at San Francisco State University, was reportedly fired for what she viewed as an attempt to sweep a 2014 breach of student records “under the rug.” She was sued for wrongful termination and whistleblower retaliation, seeking over $1 million in lost pension, lost earnings (past and future), and emotional distress.She alleged that previously recommended improvements to the Oracle database security were rejected by her superiors due to budget constraints and IT security risk acceptances, and in the wake of the incident, the interim CIO didn’t want to report a security breach “on his watch” and sought to “avoid reporting supporting information that might lead to a breach disclosure.”The university confirms there was a security incident in which information that was publicly available was potentially accessed. Because it claims there was no breach of personal data, students were not notified as the university felt students had no reason to be concerned about their personal information. The university denied her termination was related to the security incident. The case was later settled out of court.
Good Read!