Breaking Down a Data Breach – An Uber Case Study

freestocks-photos @pixabay

Uber is an app you likely have on your phone. It’s also an example of what happens when data privacy is mismanaged. This analysis covers several angles, from employees who don’t take proper precautions with their personal cell phones (especially important if your employer lets you BYOD to work), to the need for businesses to safeguard the customer data they collect. It lends support to the position that employees are the weakest link in cybersecurity and demonstrates the risk posed by storing data on third-party servers.

A Series of Unfortunate Events

A major breach in September was one of 2022’s most significant. A post in the world’s largest taxi alternative’s newsroom provided details of the incident.

“An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.” The breach reportedly compromised the company’s entire network, including internal databases and their Slack channel. Uber disclosed about 57 million customers’ and drivers’ personal information was stolen by the hacker.

The New York Post noted, “The hacker who took responsibility reportedly claims to be just 18 years old, and gained access to the ride-sharing giant’s internal networks by pretending to be an IT worker and asking for an unnamed Uber employee’s password.”

Then in December, a third-party vendor attack breached corporate and employee data as well as company documents, which were all leaked. BleepingComputer Editor-in-Chief Lawrence Abrams reported, “A threat actor named ‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches.”

“The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.” The attack targeted an AWS backup server outsourced by Teqtivity to store data for its customers.

Transparency about breaches needs to be swift. Uber’s former Chief Security Officer Joseph Sullivan awaits sentencing after being convicted on two charges for covering up data leaked on millions of customers in 2014 and 2016. This is the company’s tenth cybersecurity incident.

Reflecting on the guilty verdict of Uber’s ex-CSO, the CISO of SafeBreach submitted a commentary in DarkReading. “A breach is, quite correctly, viewed as a failure of the company to protect the data that was breached. It can also ultimately be viewed as a failure of the CISO.” Organizations need to think about outcomes—as this CISO notes—when (not if) bad actors or nation-states attack your company.

“Addressing worst-case scenarios and having a contingency plan in place before you get breached can minimize the financial and operational fallout when you do.” He adds, “Such a plan will only be successful if it has been created, vetted, and rehearsed well in advance.”

A Better Way to Protect Your Mobile Privacy

Companies need to have a robust Data Privacy Framework to ensure they are operating within privacy regulations where they do business. CISOs must implement a strict mobile device management policy.

An IT review of the Uber breach last fall notes, “Hard-coded credentials used in the Uber breach allowed for administrative access to a privileged access management programme.” It adds, “To guarantee that workers and outside contractors have the least amount of permissions necessary to perform their responsibilities, consistently use the principle of least privilege, beginning at the endpoint.”

You can turn off tracking and location services in your privacy and security settings on your phone, however, “Apps like Uber and Lyft will track your location for their drivers, and they may do it constantly, not just when you need a ride. There isn’t usually a way to turn off location tracking for these apps without disabling them.”

Contact us to learn more about how you can protect your company with our encrypted mobile solutions: ChatMail™, and our latest innovation Renati, a secure mobile operating system currently in beta testing.