While it’s wrong to make someone a scapegoat following a security incident, there have been several cases where the CISO of a major company was let go following a major Breach. In this article, we will be examining five such instances in which the CISO was forced to face the music. However, before we do so, let’s look at some numbers:

• As per a 2018  State of Web Application Security report by Radware, 23% of companies admitted to firing an executive over application attacks.
• According to Kaspersky, senior non-IT employees are laid off at 27% of enterprises (those with over 1,000 employees) that suffer a breach.
• Osterman Research conducted a Nominet survey of over 400 CISOs in the US and UK and found that 6.8% of CISOs in the US and 10% in the UK believed that in the event of a breach, they would lose their job. In fact, just under 30% of respondents believed they would get an official warning.

#1 Equifax

In 2017, Equifax, one of the largest consumer credit reporting agencies, suffered a breach, which led to the leak of 143 million consumer records. These records include – names, addresses, dates of birth, Social Security numbers, and Driver License Numbers. To make matters worse, Equifax didn’t disclose the for over a month post-discovery. The US Senate Permanent Subcommittee on Investigations called the entire fiasco a “neglect of cybersecurity.”

The cost of the total incident added up to $1.35 billion. CEO Richard Smith, CSO Susan Mauldin and CIO David Webb all left the company following the breach.

#2 Capital One

In July 2019, Capital One announced that the personal information of 100 million customers had been hacked due to a misconfigured firewall. As per Capital One, in 2019 alone, this incident cost between $100 million and $150 million. Most of this money was spent on customer notifications, credit monitoring, and legal support. Michael Johnson, the firm’s CISO since 2017, was temporarily replaced in November 2019 by CIO Mike Eason. Johnson has since remained on board as an advisor.

#3 JPMorgan Chase

In 2014, JPMorgan Chase suffered a breach, which compromised 83 million accounts in the US. The leaked information included names, email and postal addresses, and phone numbers. As a result, CSO Jim Cummings and CISO Greg Rattray were reassigned to new positions within the bank. 

#4 Uber

The ride-hailing app suffered a pretty infamous data breach in late 2017. The attackers stole the names, email addresses, phone numbers and driver license numbers of over 57 million riders and drivers. Apparently, Uber’s GitHub code repository wasn’t secured via multifactor authentication, which was promptly exploited by the user. 

To make matters worse, CSO Joe Sullivan was attempting to cover-up the attack by handing over $100,000 to the attackers. Sullivan was eventually fired and has since joined Cloudflare as its CSO. 

Conclusion

As a CSO, you need to do all that you possibly can to secure the overall safety of your company. For better or for worse, you are going to be held accountable for your company’s health. To prevent devastating data breaches like the ones mentioned above, you need to make sure that you have correctly configured your cloud settings. To do so, check out the article we have written on cloud storage misconfiguration and GitHub exposure.

The post Equifax, JPMorgan and two more insane data breaches that cost CISOs their jobs appeared first on Netenrich.