Top riding sharing company Uber has reportedly suffered another data breach. Leaked data includes employee email addresses, corporate reports, and IT asset information. A third-party vendor is reportedly the source of the breach.
Threat Actor Advertises Stolen Data
A threat actor calling themselves 'UberLeaks' has published alleged stolen data from Uber and sister organization Uber Eats on a popular hacking forum. The data includes source code associated with the mobile device management platforms (MDM) used by Uber, Uber Eats, and third-parties associated with the organizations.
As more details emerge, cybersecurity experts have shared their initial insights on the incident.
Nick Tausek, Lead Security Automation Architect at Swimlane
“Unfortunately, Uber has fallen victim to another devastating cyberattack that has resulted in leaked employee email addresses, corporate reports and IT asset information. While it has not yet been confirmed, experts believe the Lapsus$ hacking group, the same actor responsible for the September breach, is responsible for the incident. While the initial attack vector in September’s breach was social engineering (some employees were tricked into sharing passwords with the attackers, who impersonated technical support personnel), it is believed that this attack was caused by a breach of a third-party security vendor.
As Uber attempts to recover leaked data, it is also experiencing reputational and financial fallout from its second major cyber incident in three months. In September, Uber shares fell 5.2% with news of the data breach, making it likely that the company will suffer the same fate in the days following this incident. More importantly, leaked employee email addresses put company employees at risk for future phishing and fraud scams. The September Uber breach was exacerbated by lax security policies at Uber, including storing sensitive credentials on network shares. Unfortunately, the most recent attack highlights the company’s vulnerability despite the protection of a third-party vendor.
To better defend against similar cyber incidents, it is essential that companies like Uber adopt systemwide, low-code security automation. Security automation enables companies to leverage streamlined detection and implement proper incident response to ensure first-rate protection free of human error. By adopting low-code security automation tools, companies can achieve a cohesive protection strategy that prevents threat actors from accessing sensitive data.”
Paul Bischoff, privacy advocate at Comparitech “The leaked data included email addresses and active directory info for thousands of Uber employees. Given that the data is now publicly accessible, as opposed to being sold to a single party, anyone could use it to launch targeted phishing attacks against Uber employees. These attacks could trick Uber staff into giving up login credentials, leading to further, more consequential attacks. Even if only a handful of employees out of the 77,000 affected were to fall victim to a phishing scam, it could be detrimental to Uber and its customers.” Chris Hauk, consumer privacy champion with Pixel Privacy “Happily, there doesn't appear to be any customer information exposed in this breach. However, the internal corporate information that has been exposed in the breach could be used by bad actors to extract additional information via social engineering, meaning customer data could be exposed in late breaches.”
Lorri Janssen-Anessi, BlueVoyant Director of External Cyber Assessments
“It is imperative that companies take note of the common techniques that threat actors are employing to compromise networks. There is clear evidence that third parties or third-party vendors continue to be the favored vector to exploit in order to gain access to a larger target. This reported Uber breach is yet another unfortunate example. Not only did the threat actor exploit a third party to gain access to the company, this was not the first incident the company suffered recently. This tactic is highly successful, and until companies extend their security programs and practices systematically throughout the entire ecosystem, they will continue to be at risk. This also highlights the dangers of sharing information with third parties or third-party vendors, that you are at the mercy of the third-party security program, if one exists, and its implementation. This holds your data undeniably at risk via that third-party vendor.
BlueVoyant recently surveyed more than 2,000 C-level executives on supply chain cybersecurity. The survey showed that organizations are still struggling to monitor and prevent negative impacts from vendors and suppliers. Ninety-eight% of firms surveyed say they have been negatively impacted by a cybersecurity breach that occurred in their supply chain, slightly up from 97% of respondents last year. One reason for this may be that 40% of respondents rely on the third-party vendor or supplier to ensure adequate security, which can leave them vulnerable to breaches.
In order for companies to better protect themselves from attacks like this, they should make sure they know the vendors, suppliers and other third-parties that have network access and are needed for business continuity. They should then continuously monitor these third-parties to find issues, like unpatched systems or IT hygiene issues. Then companies should work with their third parties to remediate these issues.” Anand Revashetti, CTO and co-founder, Lineaje
“What's clear is that Uber's internal corporate information is now available to all, which is gold dust for attackers to conduct further targeted phishing attempts and infiltrate Uber's systems. Uber and its vendors must now enforce a heightened level of security and alertness to guard themselves from becoming another supply chain threat vector.
To prevent this, organizations need to know what’s in their software. This knowledge helps them not only discover risks but be more proactive in mediating the threats they impose. That is why it’s critical to have solutions that help companies analyze the software supply chain and avoid deployment of unknown and malicious components hidden in legitimate software.”
Neil Jones, director of cybersecurity evangelism, Egnyte
"The rideshare industry collects a veritable treasure trove of data that can be exploited by potential cyberattackers, including personally identifiable information (PII), credit card data, employee records and users’ behavioral patterns like ride history. So, frankly, I am surprised to see that Uber hasn’t prioritized its own cybersecurity—and analyzed the cybersecurity processes of its third-party vendors—more effectively. I am especially concerned that the new attack may involve source code data associated with its mobile device management (MDM) platforms and Microsoft Windows login information, which are extremely valuable for future attacks.
The new cyberattack on Uber is a stark reminder that organizations' cybersecurity programs are only as strong as their weakest links. Uber employees should be on the lookout for potential phishing emails and report the communications to their IT support contacts straightaway. In addition to closely reviewing third-party vendors’ IT security practices, general cybersecurity awareness training and anti-phishing education are powerful deterrents to future attacks.” ###