Philip Martin Joins Uber as CISO, Bringing Crypto and Defence Credentials to a Chair With History
The former Coinbase security chief takes over at Uber — a company whose breach record, regulatory scrutiny, and expanding data footprint make the hire one of the more consequential CISO appointments in recent memory.

Philip Martin is Uber's new Chief Information Security Officer, stepping into one of Silicon Valley's most scrutinised security roles after years leading cybersecurity at Coinbase.
A Résumé Built for Adversarial Pressure
Martin's career trajectory is not typical. Before Coinbase, he held positions at Palantir and Amazon — two organisations operating at the intersection of large-scale data, government contracts, and complex cloud infrastructure. He also served in the U.S. Army, giving him exposure to operational security disciplines that most commercial CISOs never encounter firsthand.
That combination matters. Running security at Coinbase means facing SIM-swapping crews, nation-state phishing campaigns, and financial-sector regulators who expect documented controls and timely breach notification. It is not a role that produces comfortable complacency. Martin arrives at Uber with scar tissue most candidates lack.
What Uber's Security History Actually Looks Like
Uber's track record deserves plain language. In 2016, attackers breached systems and accessed personal data belonging to approximately 57 million drivers and riders. Rather than disclosing the incident to regulators, the company paid the attackers roughly $100,000 through its bug-bounty programme to destroy the data and stay quiet. The cover-up persisted for more than a year.
Former Uber CSO Joe Sullivan was convicted in October 2022 on federal obstruction and concealment charges stemming directly from that response. It was a landmark case — one of the first criminal convictions of a sitting security executive for how a breach was handled rather than for causing it. The Federal Trade Commission had previously reached a settlement with Uber over the 2016 incident; Sullivan's conviction added a criminal dimension that the industry could not ignore.
Then came 2022. A threat actor linked to the Lapsus$ group and identified online as 'teapotuberhacker' compromised Uber's internal systems via social engineering. The attacker targeted a contractor, overwhelmed them with multi-factor authentication push requests until one was approved — a technique known as MFA fatigue — and then pivoted across internal Slack channels, HackerOne bug reports, and cloud management dashboards. The intrusion exposed not just data but the internal texture of Uber's security programme. Internal documents, vulnerability disclosures, and cloud configurations all became visible.
No ransom was paid. No catastrophic data sale followed. But the reputational and regulatory cost was real, and the root cause was unambiguous: weak identity hygiene and an MFA implementation that could be socially defeated.
Why Identity Hygiene Remains the Core Failure
The 2022 Uber breach is a near-perfect case study in why identity controls matter more than perimeter defences. The attacker did not exploit an unpatched CVE or breach a firewall. They asked a human being to approve a login request, repeatedly, until that human complied. According to the Verizon 2024 Data Breach Investigations Report, social engineering and credential abuse together account for the majority of breaches across industries — a pattern that has held for years and shows no sign of reversing.
Phishing-resistant MFA — FIDO2 hardware keys, passkeys, or certificate-based authentication — would have made that specific attack vector meaningless. Uber's use of push-based MFA created an opening that required no technical sophistication to walk through. That is a configuration decision, not an act of God.
Organisations that still rely on push-based MFA for privileged access, contractor accounts, or remote employees are carrying the same exposure Uber carried in 2022. Upgrading authentication is an engineering project, but the human side of the equation — teaching employees to recognise MFA fatigue attacks and refuse unexpected push requests — is a training problem. Regular security-awareness training that includes realistic social-engineering scenarios is one of the fastest ways to close that gap before an attacker finds it.
What Martin's Mandate May Look Like
Uber has not published a formal statement describing Martin's scope. Whether his remit includes physical security, third-party vendor risk, or autonomous-vehicle data operations remains unspecified publicly.
That last category is worth watching. Uber's freight, food-delivery, and self-driving research arms collectively generate and store enormous volumes of real-time location data, payment information, and driver and rider PII. Each business line introduces its own threat surface. A CISO with financial-sector regulatory experience and government-adjacent security work is a credible choice for managing that complexity — but the job is defined by execution, not background.
What Defenders Should Take From This Appointment
CISO hires rarely make news outside specialist circles. This one does because of what preceded it: a criminal conviction of Martin's predecessor's predecessor, a socially engineered breach that bypassed technical controls, and a regulatory relationship with the FTC shaped by concealment rather than transparency.
The lesson for security teams is not about Uber specifically. It is about what happens when organisations treat identity controls as a checkbox rather than a discipline. Phishing-resistant authentication, zero-trust segmentation, contractor access reviews, and a culture where employees are empowered to refuse suspicious requests — these are not aspirational goals. They are the baseline that the 2022 breach proved was missing.
MFA fatigue attacks are trivially easy to execute and brutally effective against push-based systems. Reviewing your organisation's authentication standards against NIST SP 800-63B guidance is a practical first step that any security team can take this week, without waiting for a board-level hire to mandate it.
Martin inherits a company with a complicated past and an expanding attack surface. The industry will watch whether Uber's security posture changes under his leadership — not because of the org chart, but because of what the org chart has to fix.
How Uber's Breaches Could Have Been Prevented
- Replace push-based MFA with phishing-resistant alternatives (FIDO2 or passkeys) for all privileged and contractor accounts — NIST SP 800-63B provides the benchmark.
- Run regular social-engineering simulations that include MFA fatigue scenarios so employees recognise and report suspicious authentication requests before approving them.
- Establish contractor access reviews and zero-trust segmentation so a single compromised account cannot pivot across Slack, cloud consoles, and internal tools simultaneously.
Train2Secure's security-awareness programmes include real-world social-engineering scenarios — the exact attack type that broke Uber's defences in 2022.
Start free — no card requiredSources & further reading
- https://www.ftc.gov/news-events/news/press-releases/2018/04/uber-agrees-expanded-settlement-ftc-related-2016-data-breach
- https://www.justice.gov/usao-ndca/pr/jury-finds-former-chief-security-officer-uber-guilty-federal-charges-concealing-data
- https://nvd.nist.gov/vuln/detail/CVE-2022-29583
- https://pages.cdn.pagesign.com/verizon-2024-dbir.pdf
- https://pages.nist.gov/800-63-3/sp800-63b.html
Frequently asked questions
Who is Philip Martin and why is his Uber appointment significant?
Philip Martin is a cybersecurity executive who most recently served as CISO at Coinbase. His appointment at Uber is notable because of the company's history — including a covered-up 2016 breach that led to the criminal conviction of a former CSO, and a 2022 intrusion achieved through social engineering and MFA fatigue.
How did the 2022 Uber breach happen?
A threat actor linked to the Lapsus$ group used an MFA fatigue attack against a contractor — sending repeated push authentication requests until one was approved — then moved laterally through Slack, HackerOne, and cloud dashboards. No technical vulnerability was exploited; the attacker socially engineered a human into granting access.
What is MFA fatigue and how can organisations defend against it?
MFA fatigue occurs when an attacker floods a target with push-based authentication requests, hoping the user approves one out of frustration or confusion. Organisations can mitigate this by switching to phishing-resistant MFA (FIDO2 keys or passkeys) and training employees to immediately report and refuse unexpected authentication prompts.
What happened to Uber's former CSO Joe Sullivan?
Joe Sullivan, who served as Uber's Chief Security Officer during the 2016 breach, was convicted in October 2022 on federal obstruction and concealment charges. He was found guilty of paying the attackers to stay quiet and concealing the breach from regulators — one of the first criminal convictions of a security executive for breach-response conduct.



