14 Security Fails That Cost Executives Their Jobs
Katherine Archuleta, the director of the Office of Personnel Management, is the latest casualty of a data breach, but she's certainly not the only one. There's no job security when your job is security.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt0919e57d4360087d/64cb5627aa9ef47ca9e68cfa/Archuleta2014.jpg?width=700&auto=webp&quality=80&disable=upscale)
You had one job: Secure the data. What happened?
Life as a CEO, CIO, or CTO is a bit more complex than that. Not every executive is directly responsible for IT security. Few have a deep understanding of it.
But in our networked world, IT security is the foundation of a successful business, and blame is shared when the floor collapses. Organizational leaders may prefer to focus on the big picture, but inattention to security has proven to be a poor career move.
Katherine Archuleta, the director of the US Office of Personnel Management, is the latest casualty of a data breach. She resigned on Friday following revelations that hackers had made off with the data of 21.5 million people who applied for government background checks. Her agency previously disclosed that the personal information of more than 4.2 million federal workers had been compromised.
In a May 2015 study, based on information from 350 companies, IBM and the Ponemon Institute found that the average total cost of a data breach increased to $3.79 million from $3.52 million last year. The average cost paid for each lost or stolen record with sensitive data rose as well, to $154, from $145 last year. That's a global average. In the US, the cost per capita reached $217.
By that measure, the theft of 25.7 million OPM records could cost almost $5.6 billion. If only those funds could be added to the $14 billion proposed for cybersecurity in FY2016. After all, the OPM breach could have serious, long-term implications for national security.
Monetary costs tell us nothing about the angst and inconvenience visited upon the victims of a breach, or the personal and professional toll paid by whoever accepts responsibility.
It's infuriating for data theft victims to be forced to worry about fraud and identity theft due to someone else's errors, ignorance, or incompetence. At the same time, it's difficult not to be a bit sympathetic to those called upon to maintain security using systems and people who are unavoidably flawed. Those who do the job well succeed, in part, because there's someone else out there doing the job less well, someone running an organization that's an easier target.
When you look at the list of companies that have been hacked in some way, it becomes apparent that even the most technically sophisticated organizations can be breached given a sufficiently well-funded, determined attacker. Speaking on 60 Minutes in 2014, FBI Director James Comey put it this way: "There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese, and those who don't know they've been hacked by the Chinese."
And Chinese hackers are not the only hackers in the world.
Given the vulnerability of IT systems, the first act of an incoming CEO, CIO, or CTO should be to write a resignation letter, apologizing for the "unforeseen" data breach that everyone feared was coming. Ideally, the letter's presence will serve as a reminder to prioritize security concerns.
With luck and diligence, the letter will never need to be tendered. But many executives have not been so fortunate or attentive. Here are a few who have stepped aside or been forced out following a breach. Maybe there's a lesson here, or maybe we're all just waiting for the other shoe to drop.
In May, 2014, Target CEO Gregg Steinhafel resigned following a massive data breach in 2013 that affected an estimated 110 million customers. His letter to the board mentions the company's commitment to improve data security.
Two months earlier, Target CIO Beth Jacob resigned, a casualty of the same breach.
In February, Amy Pascal resigned as head of Sony Pictures, following a cyberattack by a group calling itself the Guardians of Peace. The group released confidential and highly embarrassing email correspondence between Pascal and other movie industry executives. The group's goal was reportedly to derail the release of The Interview, a comedy that made fun of North Korean leader Kim Jong-un.
In January 2014, 27 executives resigned from South Korean financial firm KB Financial. According to The Wall Street Journal, prosecutors said 104 million credit cards issued by KB Financial and its subsidiaries were stolen by an engineer with Korea Credit Bureau, a company working with the firms.
Stephen Fletcher, executive director of Utah's Department of Technology Services, resigned in May 2012 following the breach of a UDOTS server that affected individuals in the state health system. The breach exposed the Social Security numbers of about 280,000 people and less sensitive personal information about 500,000 others. "An error on the server at the password authentication level" was to blame.
Jim Etter, director of South Carolina's Department of Revenue, resigned at the end of 2012 following a data breach that exposed 3.6 million Social Security numbers. An audit by security firm Mandiant found insufficient security protocols and a failure to encrypt Social Security data.
Ohio State University CIO Kathy Starkoff resigned in 2013 following a 2010 breach, disclosed in late 2012, that exposed the personal information of some 760,000 people. An open records request by OSU news website The Lantern found that the breach was detected on October 22, 2010, but that no email with the term "data breach" appeared in Starkoff's email until December 5, 2010.
Back in 2006, before data breaches had become toxic, AOL intentionally released 20 million search terms used by 650,000 subscribers for research purposes. The data dump turned into a privacy fiasco after The New York Times demonstrated that it could identify searchers from the ostensibly anonymized data. There was a lawsuit, AOL CTO Maureen Govern resigned, and the responsible researcher and his supervisor were fired.
In 2007, Paul Gray, chairman of the Revenue and Customs tax authority (HMRC) in the UK, resigned following the loss of a CD containing the unencrypted child benefit details for 25 million individuals and 7 million families.
Aaron Barr, CEO of technology security firm HBGary Federal, resigned in 2011 following the hacking of the company's website and the exposure of some 71,000 internal emails. He might have avoided all that by not saying that he planned to reveal the names of the leaders of the hacker group Anonymous.
Prudence Chan, CEO of Hong Kong-based smart card payments company Octopus Holdings, resigned in 2010 after it was revealed that the firm sold the private data of customers to business partners. Having a privacy policy means taking it seriously.
Despite a massive breach in 2014 that resulted in the exposure of some 56 million credit cards, no one on Home Depot's executive team appears to have taken the blame. The company didn't immediately respond to a request to identify whether any executives had been held accountable. But some members of the company's security team left the company when managers ignored warnings.
The May 2006 theft of a laptop containing the personal information of 26.5 million US veterans in Virginia led to the resignation of Michael H. McLendon, the Department of Veterans Affairs (VA) deputy assistant secretary at the time. Prior to the theft, CIO Robert McFarland resigned in frustration over the slow pace of change at the agency. After the theft, Pedro Cadenas, Jr., the VA Chief Information Security Officer and Acting Deputy CIO after McFarland's departure, resigned. The analyst who took the laptop home, thus allowing it to be stolen, was fired for violating agency procedure.
In 2011, Randy Vickers, the director of the US computer emergency readiness team (US-CERT), the group charged with protecting US government networks, resigned. No reason was given, but Vicker's departure followed a series of attacks on US government websites.
Beyond data breaches, lapses in physical security can also prompt resignations. Secret Service director Julia Pierson left after a security failure at the White House. And in 2007, security failings at Los Alamos National Laboratory led to the departure of Linton Brooks, administrator of the National Nuclear Security Administration.
Beyond data breaches, lapses in physical security can also prompt resignations. Secret Service director Julia Pierson left after a security failure at the White House. And in 2007, security failings at Los Alamos National Laboratory led to the departure of Linton Brooks, administrator of the National Nuclear Security Administration.
-
About the Author(s)
You May Also Like