CYBERSECURITY AWARENESS MONTH | BE AWARE. BE SECURE. | Download our essential guide and Empower your users to fight cybercrime. | CYBERSECURITY AWARENESS MONTH | BE AWARE. BE SECURE. | Download our essential guide and Empower your users to fight cybercrime. | CYBERSECURITY AWARENESS MONTH | BE AWARE. BE SECURE. | Download our essential guide and Empower your users to fight cybercrime. | CYBERSECURITY AWARENESS MONTH | BE AWARE. BE SECURE. | Download our essential guide and Empower your users to fight cybercrime. | CYBERSECURITY AWARENESS MONTH | BE AWARE. BE SECURE. | Download our essential guide and Empower your users to fight cybercrime. | CYBERSECURITY AWARENESS MONTH | BE AWARE. BE SECURE. | Download our essential guide and Empower your users to fight cybercrime. |
Lessons learned from the Uber data breach
Uber employees last month discovered a hacker intrusion into their internal network. This was possible because the attacker announced his feat on the organization’s Slack channel, as well as sharing it with the New York Times, which brought the story about the Uber data breach to light.
This isn’t the first time a data breach has occurred at Uber. Previously, the company had to pay a fine of US$148 million due to the theft of data from 57 million users and 7 million drivers worldwide in the year 2016.
The 2016 attack further prompted the conviction of former Uber CSO Joe Sullivan for hiding data breaches and theft from authorities.
In this article, we??re going to dig into the two times Uber data was breached and the lessons learned from those intrusions. To facilitate your understanding, we have divided our text into topics. They are:
- How did the data breach at Uber happen?
- How did Uber respond to the hack?
- What was the impact for the organization?
- Who is responsible?
- How did the 2016 Uber data breach occured?
- About senhasegura
How did the Uber data breach happen?
An attacker is believed to have purchased an Uber contractor’s corporate password on the dark web after their personal device was infected with malware, exposing their credentials.
The contractor received multiple requests for two-factor login approval and ended up releasing access to the attacker, who was able to log into the collaborators account and gain access to various tools, such as the organization’s Slack.
Known as an MFA fatigue attack, this social engineering technique involves bombarding the victim’s authentication app with push notifications so that they accept and allow access to their accounts and devices.
He then posted a message on the Slack channel announcing the Uber data breach. He complained that the company’s drivers are underpaid, as well as exposing screenshots showing assets he has gained access to, such as Amazon accounts, Web Services and code repositories.
How did Uber respond to the hack?
According to Uber’s website, its security monitoring processes allowed it to quickly identify and respond to the attack.
Their focus would have been on ensuring that the hacker no longer had access to their systems, thus protecting user data, as well as investigating the scope and consequences of the incident.
His actions included:
- Identify employee accounts that could be compromised and
- block their access to request a password reset;
- Disable tools potentially affected by data breach at Uber;
- Reset access to keys for internal services;
- Prevent new code changes;
- Require employees to re-authenticate when restoring access to internal tools, as well as strengthen policies related to multiple factor authentication (MFA); and
- Expand monitoring of the internal environment.
What was the impact for the organization?
Also according to information released by Uber, the hacker had access to the company’s internal systems, but investigations are still ongoing. On the other hand, it was already possible to obtain some information:
- Uber did not find access to its production systems, that is, to public-facing tools; user accounts and databases with their information;
- The company encrypted its users’ credit card and health data, providing them with more protection;
- It also revised its codebase, which did not point to attacker access to customer data stored in its cloud environments;
- Apparently, the hacker downloaded internal Slack messages and information from an internal invoice management tool;
- The attacker was also successful when he tried to join Uber’s dashboard on HackerOne, where there are bugs. However, the bugs accessed by it have already been fixed;
- Despite being able to keep its services running during the process, Uber had its support operations impacted due to the need to disable internal tools.
Are you enjoying this post? Join our Newsletter!
Newsletter Blog EN
Who is responsible?
What we do know about the hacker is that he claims to be 18, did nothing to hide the Uber data leak, and likely his actions were not motivated by financial gain through espionage, extortion or ransomware.
Furthermore, he is believed to be a member of a group of cybercriminals called Lapsus$, which has already breached Microsoft, Samsung and Cisco, among other major corporations. The US Department of Justice and the FBI are investigating the case.
How did the 2016 Uber data breach occured?
The news about a data leak at Uber, which took place in 2016, also became public some time ago. At the time, cybercriminals had access to the data of 57 million users worldwide, in addition to 7 million drivers, which 600 thousand are from the United States.
When Uber discovered the hack, it did not communicate the victims. Other than that, he paid a hacker to keep the fact secret. This conduct violated state law and prompted the Pennsylvania attorney general to demand changes in the organization’s corporate behavior.
In addition, Uber had to pay $148 million in a national settlement, which was distributed among the 50 states and the District of Columbia.
Another consequence was the recent conviction of former Uber CSO Joe Sullivan for obstructing Federal Trade Commission proceedings and covering up the hack. He faces up to eight years in prison on the charges.
We, at senhasegura, are part of MT4 Tecnologia, a group of companies focused on digital security, founded in 2001 and active in more than 50 countries.
Our main objective is to ensure digital sovereignty and security to our contractors, granting control of privileged actions and data and preventing theft and leakage of information.
For this, we follow the life cycle of privileged access management through machine automation, before, during and after access. We also work for:
- Avoid interruptions in the activities of the companies, which may impair their performance;
- Automatically audit privilege usage;
- Automatically audit privileged changes to identify privilege abuses;
- Offer advanced PAM solutions;
- Reduce cyber risks;
- Bring organizations into compliance with audit criteria and standards such as HIPAA, PCI DSS, ISO 27001 and Sarbanes-Oxley.
In this article, we show you how a data breach occurred at Uber recently and another in 2016. If you found it interesting, share it with someone who wants to know more about this topic.
ADDITIONAL READING ON THE SENHASEGURA BLOG