Ride-sharing company Uber suffered a security breach on Thursday, August 15, forcing the company to shut down several internal communications and technical systems.
The company confirmed the incidents in a Twitter post, saying officials have been in contact with law enforcement, and The New York Times reported that a person claiming responsibility for the hack sent images from emails, cloud storage and code repositories to cybersecurity researchers and the newspaper.
Hacker communicates with employees via Slack
Uber employees were told not to use Slack, the company’s internal messaging service, the Times reported. Before Slack was taken offline on Thursday afternoon, Uber employees received a message that read, “I’m announcing that I’m a hacker and Uber has suffered a data breach.” The message also contained several internal databases that the hacker claimed had been compromised, the Times reported.
An Uber employee’s Slack account was allegedly hacked by the hacker to send the message. The hacker was later apparently able to access other internal systems and posted an explicit photo on an internal employee information page.
According to the Times, the alleged hacker used social engineering and claimed he was the company’s information technology person at Uber to convince an employee to provide a password that would allow the hacker to access Uber’s systems.
SEE: Mobile Device Security Policy (TechRepublic Premium)
It’s not clear how widespread the compromise is or whether the hacker gained access to user data.
It’s not the first time Uber has faced a security breach. In 2016, the company’s systems were hacked, exposing the personal data of approximately 57 million of its customers and employees.
Security officials emphasize the need to train employees
Security officials did not seem surprised by the breach.
“This had to happen, as cloud security is often an afterthought,” said Tom Kellermann, certified information security manager (CISM) and senior vice president of cyber strategy at Contrast Security.
According to Kellerman, cybersecurity is not always seen as a business function; instead, it is seen as an expense. To prevent such breaches in 2023, Kellerman argues that companies should focus on continuous monitoring of cloud-native environments.
“This breach highlights the need for companies to educate their employees about the dangers of social engineering and how to defend themselves against it,” said Darryl MacLeod, vCISO at LARES Consulting. “Social engineering attacks are becoming more common and more sophisticated, so it’s important to be aware of the dangers. If you work for a company that holds sensitive data, make sure you know how to spot a social engineering attack and what to do if you encounter one.”
Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software, said its research shows that the average U.S. business experiences 42 cyberattacks per year, three of which are successful.
“While business impacts and financial losses are the most tangible examples of the damage these attacks cause, the reputational impact can be equally devastating,” said Darren Guccione, CEO and co-founder of Keeper Security. “High profile breaches should serve as a wake-up call for organizations large and small to implement a zero-trust architecture, enable MFA (multi-factor authentication), and use strong and unique passwords.”
The first line of defense is a password manager, Guccione said.
SEE: Password breach: Why pop culture and passwords don’t mix (Free PDF) (TechRepublic)
“This will create very strong random passwords for any website, application and system, and will also enable strong forms of two-factor authentication, such as an authenticator app, to protect against remote data breaches,” said Guccione.
Guccione stressed the importance of training employees to identify suspicious phishing emails or smishing text messages, saying they “try to install malware on critical systems, prevent user access and steal sensitive data.”
That sentiment was echoed by Ray Kelly, fellow at Synopsys Software Integrity Group, a Mountain View, California-based provider of integrated software systems.
“There’s a reason cybersecurity experts say humans are often the weakest link when it comes to cybersecurity,” Kelly says. “While businesses can spend a significant budget on security hardware and tools, in-depth employee training and testing is not getting the focus it should.”
Social engineering is becoming the easiest way for a malicious actor to gain access to a company’s network, Kelly added.
Preventing security incidents is a “mission impossible,” noted Shira Shamban, CEO of Solvo, a Tel Aviv-based security cloud automation enabler.
“That’s why security teams will be measured by the crash barriers they’ve put in place and the levels of protection they’ve designed,” Shamban said. “Using IAM (Identity and Access Management) is a smart way to ensure that [that] even if some of your credentials are compromised, or some machines are hacked, the blast radius will be limited and the attacker’s ability to make lateral movements will be limited.”