Naked Security Naked Security

Uber gets its first chief security officer – Facebook’s Joe Sullivan

Uber just poached Facebook's Joe Sullivan to act as the ride-hailing app company's first chief security officer. It might make you wonder - why didn't Uber have a CSO before now?

joe-sullivan-hired-uber-170Uber isn’t afraid to throw its weight around, and whether it’s forcing its will on reluctant cities, or crushing competitors, it usually gets what it wants.

Now Uber has poached a top executive from Facebook.

Uber wanted a chief security officer (the first ever at the six-year-old company), and got their man – Facebook’s Joe Sullivan.

Sullivan acted as chief security officer (CSO) at Facebook for five years, and before that in similar roles at eBay and PayPal.

In a blog post announcing the hire, Uber CEO Travis Kalanick said Sullivan will oversee the ride-hailing giant’s cybersecurity and safety efforts on a global scale.

Kalanick set the bar for Sullivan pretty high, saying Uber wants to “redefine what it means to be a world-class, people-centric protector of privacy.”

A bold statement for sure, especially considering Uber’s bad track record around data security and privacy.

Let’s look at a sampling of Uber’s security SNAFUs we’ve covered at Naked Security in recent months:

  • A database breach in which 50,000 driver identities were stolen, which may have been the result of leaving “secret” login keys in a public posting on GitHub.
  • Data lost, and found, when customer data was exposed for several hours in an online “lost and found” portal.
  • Stolen customer logins, offered for sale in a dark web marketplace.

Uber’s dedication to privacy hasn’t exactly been world-class, either.

There was the Uber executive who suggested spending $1 million to dig up dirt on a journalist critical of the company.

Or the Uber job applicant who claimed he was given admin-style privilege to access Uber’s real-time passenger data feed, even after his interview ended.

Apparently, Uber staff had the same sort of unfettered access, with potential disciplinary action the only safeguard against misuse.

Which leads to the next tale – an incident where an executive at the company confessed to sneaking a peek at a journalist’s supposedly private trip information, tracking her movements on two separate occasions.

And how about those Uber data crunchers publishing a since-deleted blog post about mining data to spot customers who’ve just had lovers’ trysts, which, even if anonymized, is really creepy.

We should give Uber some credit – it has recently stepped up its safety and security efforts.

In November 2014, the company hired an outside auditor to check up on its data security practices, and this past March, in response to several lawsuits against it, Uber said it was working on improving customer safety and beefing up background checks on drivers.

Uber has learned, slowly, that it has security problems that need addressing – although you have to wonder why Uber didn’t have a CSO before now.

Maybe it’s because start-ups are so busy growing their companies that “security is an afterthought,” as Tyler Shields, a senior security analyst at Forrester Research, told the Washington Post.

Hiring one of Silicon Valley’s top security pros is a positive step in the right direction.

But Sullivan, who was a pioneer of cybersecurity investigations at the US Department of Justice before jumping to the private sector, definitely has his work cut out for him.

Image of handshake courtesy of Shutterstock.

Leave a Reply

Your email address will not be published. Required fields are marked *