The buck stops here: 8 security breaches that got someone fired

Some deserved the blame, and some seemed to just be at the wrong place at the wrong time.

intro breaches getting someone fired

Heads must roll

A secure network is a sign that a CSO is doing their job right — but it's also something that's hard to notice. It's not exciting when nothing happens! But when something does happen in security, that's usually really bad. It's a great way for a CSO or CIO to get fired, or to get their CEO fired along with them.

In our continuing quest to keep you updated on how bad things can get for security pros who let their company down, we present to you some very bad job consequences that befell tech workers in the wake of news-making security breaches.

Also on CSO: The 16 biggest data breaches of the 21st century

1 yahoos blame shift

Yahoo's blame-shift

At a tech company, everyone's responsible for the tech. So maybe that explains why, after 2016's long-delayed revelation of state-sponsored hacking at Yahoo!, it was Ron Bell, the company's top lawyer, who took the fall. Officially, the reasoning was that the committee of inquiry looking into the hack "found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it." But many disgruntled people inside the company felt the board and CEO Marissa Mayer were equally culpable and Bell unfairly took the fall; Mayer took a seven-figure financial hit in recognition of this fact.

Read more about the botched response to the 2014 Yahoo breach and how the Russian state security gained access to Yahoo's network.

2 big blue screws the swedes

Big Blue screws the Swedes

You'd think Sweden outsourcing its vehicle registration and driver's license database management to IBM would be a fairly safe and boring transaction. But lax security practices led to unauthorized personnel in IBM's Eastern European subsidiaries gaining unauthorized access to sensitive information about Swedish transportation infrastructure — and the identities of undercover officers working for the Swedish security services may have also been exposed. The Swedish Prime Minister called it a "total breakdown." Maria Agren, the director general of the Swedish Transport Agency, was fired for the slip-up, and Minister of the Interior Anders Ygeman lost his place in the Swedish cabinet.

3 fake president real firing

Fake president, real firing

In February of 2016, Austrian aerospace company FACC fell victim to a so-called "fake president" scam, a type of spear-phishing attack where attackers send a falsified request that looks like it comes from a high-level company official to someone authorized to wire large sums of cash. In this case, they pretended to be CEO Walter Stephan and convinced the company to wire 42 million euros into parts unknown. When the hammer fell, it didn't fall on the tech side of the company: the company's CFO was fired in the immediate wake of the incident, and the CEO followed a few months later, though the specific motivations for those firings were unclear.

4 sweeping under the rug

Sweeping under the rug?

Sometimes firings for security breaches have a darker motivation. In 2014, Mignon Hofmann, an information security officer at San Francisco State, was alerted by an outside agency about a vulnerability in the university's Oracle database. Her efforts to have the vulnerabilities patched were rejected as too costly and there was apparently a subsequent "security incident" that she tried and failed to get university administration to address or (as is required by law) publicly acknowledge. They refused, and after she alerted a long list of internal leaders, including "University Management, Risk Management, Legal, Campus Police, Internal Audit, Student Affairs, Housing, the University President, and the Chancellor’s Office," she was fired — and she subsequently sued for wrongful termination

5 nda on cyberscammers

Do NDAs work on cyberscammers?

It's sad that the recently revealed hack of Uber's databases, which exposed personal information about 57 million customers and drivers, sounds almost routine at this point. What seems particularly ham-handed, though, is the way the company, as directed by top executives, responded. First, they paid the $100,000 ransom the hackers demanded, which on the company books was made to appear as a bug bounty. Then they got the attackers to sign non-disclosure agreements! Uber CSO Joe Sullivan and Craig Clark, the company’s legal director of security and law enforcement, participated in the dodgy deal and both were fired.  Company CEO and founder Travis Kalanick also knew, but had been fired from his job already by the time this incident came to light (though, as of this writing, he remains on the board).

6 dont let the door hit you

Don't let the door hit you on the way out

Often the very top executives at a company are allowed to save face even in the most catastrophic of situations. In the wake of the Equifax hack that exposed confidential data from just about everyone in the United States, the CSO Susan Mauldin and CIO Dave Webb "retired," followed shortly thereafter by the "retirement" of CEO Richard Smith. Smith later testified before Congress about the breach, despite no longer working at Equifax, and sought to cast blame on a single, unnamed individual who had failed to patch vital software. The New York Times dryly noted that "a company spokesman did not respond to questions about that employee’s status with the company."

7 not the breach

It's not just the breach, but the contents

The Sony breach of 2014 may feel like old news, but this year former Sony Pictures chief Amy Pascal opened up about the aftermath for the first time, frankly admitting that she was fired in the wake of it. Much of the trouble that arose for her was not just her supervision of the company that allowed the hacking to happen, but the embarrassing, gossipy correspondence she exchanged with others that suddenly became public. "I kept calling [IT] and being like, 'They don’t have our emails, tell me they don’t have our emails,'" she said. "But then they did. That was a bad moment. And you know what you write in emails."  

8 the revolving door

The revolving door

The truth is, there's a certain ritualism to the firing of tech execs after a big breach. On the one hand, companies need to show that they're taking responsibility and treating this teriously; on the other, CIOs and CISOs are often not directly responsible for breaches and yet suffer the consequences far more often than other C-level execs. Chase Cunningham, a security and risk analyst at Forrester, told the Seattle Times that "It’s about the only executive-level job I can think of where you are 100 percent accountable for the failures to come, even though it’s a guarantee that (they) will happen at some point. It's like playing chess with a blindfold on — you cannot win." This might be why many CSOs end up finding more work later, even with stains on their resume.

9 make it personal

Making it personal

On the other hand, by letting executives — not just CIOs, but CEOs — know that security breaches have career consequences, we may be seeing some improvements in security practices worldwide. When Target cleaned house in the wake of its massive 2014 hack, that made it "personal," as Cory Weech, the vice president for IT security at Four Seasons, told a panel on boardroom awareness at the 2017 RSA Conference. Company boards are now more likely to be paying attention to threats at other companies — and letting their execs know what might happen to them if similar misfortunate comes home.

Copyright © 2017 IDG Communications, Inc.