Ride-sharing company Uber suffered a security breach Thursday, Aug. 15, that forced the company to shut down several internal communications and engineering systems.
The company confirmed the incidents in a Twitter post, saying officials have been in touch with law enforcement, and The New York Times reported that a person claiming responsibility for the hack sent images of emails, cloud storage and code repositories to cybersecurity researchers and the paper.
Hacker communicates with employees via Slack
Uber employees were told not to use Slack, the company’s internal messaging service, the Times reported. Prior to Slack being taken offline Thursday afternoon, Uber employees received a message that said, “I announce I am a hacker and Uber has suffered a data breach.” The message also detailed several internal databases the hacker claimed had been compromised, according to the Times.
An Uber employee’s Slack account was reportedly compromised by the hacker to send the message. The hacker was apparently able to later gain access to other internal systems and posted an explicit photo on an internal employee information page.
According to the Times, the supposed hacker used social engineering, claiming they were the corporate information technology person at Uber in order to convince an employee to provide a password that allowed the hacker to gain access to Uber’s systems.
SEE: Mobile device security policy (TechRepublic Premium)
It is not clear how widespread the compromise is or if the hacker gained access to user data.
This is not the first time Uber has experienced a security breach. In 2016, the company’s systems were hacked, exposing the personal data of about 57 million of its customers and employees.
Security officials stress the need to educate employees
Security officials did not appear to be surprised by the breach.
“This was bound to happen as attention to cloud security is often an afterthought,” observed Tom Kellermann, certified information security manager (CISM) and senior vice president of cyber strategy at Contrast Security.
According to Kellermann, cybersecurity isn’t always seen as a business function; instead, it’s viewed as an expense. To avoid such breaches in 2023, Kellermann claims businesses will need to begin focusing on continuous monitoring of cloud-native environments.
“This breach highlights the need for companies to educate their employees about the dangers of social engineering and how to defend against it,” said Darryl MacLeod, vCISO at LARES Consulting. “Social engineering attacks are becoming more common and more sophisticated, so it’s important to be aware of the dangers. If you work for a company that holds sensitive data, make sure you know how to spot a social engineering attack and what to do if you encounter one.”
Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software, said its research shows the average U.S. business experiences 42 cyberattacks per year, three of them successful.
“While the impact to business operations and financial losses may be the most tangible examples of the damage that these attacks cause, the reputational impacts can be equally devastating,” said Darren Guccione, CEO and co-founder of Keeper Security. “High profile breaches must serve as a wake-up call for organizations large and small to implement a zero-trust architecture, enable MFA (multi-factor authentication), and use strong and unique passwords.”
The first line of defense is a password manager, Guccione said.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
“This will create high-strength random passwords for every website, application and system and, further, will enable strong forms of two-factor authentication, such as an authenticator app, to protect against remote data breaches,” said Guccione.
Guccione stressed the importance of training employees on how to identify suspicious phishing emails or smishing text messages, saying that they “seek to install malware into critical systems, prevent user access and steal sensitive data.”
That sentiment was echoed by Ray Kelly, fellow at Synopsys Software Integrity Group, a Mountain View, California-based provider of integrated software systems.
“There’s a reason cybersecurity experts say that the human is often the weakest link when it comes to cybersecurity,” said Kelly. “While companies can spend significant budget on security hardware and tools, in-depth training and testing of employees does not get the focus it should.”
Social engineering is going to be the easiest route for a malicious actor to gain access to a company’s network, Kelly added.
Preventing security incidents is a “mission impossible,” noted Shira Shamban, CEO at Solvo, a Tel Aviv-based security cloud automation enabler.
“Therefore, security teams will be measured on the guardrails they put in place and the tiers of protection they designed,” Shamban said. “Utilizing IAM (identity and access management) is a smart way to make sure [that] even if some of your credentials are compromised, or some machines get hacked, the blast radius will be limited and the attacker’s ability to make lateral movement will be restricted.”