Uber Begins Infosec Hiring Spree After Lapsus$ Hack

Uber has begun a hiring spree for cybersecurity professionals, in the wake of its damaging data breach last week.

The ride hailing giant last week said it was “currently responding to a cybersecurity incident,” after the New York Times reported that a hacker had accessed the company’s network and forced it to take several internal communications and engineering systems offline.

The attacker (said to be 18 years old) had stolen credentials from an external contractor using a fatigue attack, in which the target is flooded with two-factor login requests until one of them is accepted.

Data breach

The attacker then breached several other employee accounts that gave them access to tools including Google Workspace and Slack, Uber said.

The company said it had not seen indications that the attacker had accessed the systems that powered its apps, user accounts or the databases that store sensitive data such as credit card numbers, bank account information or trip history.

It said it had reviewed its codebase and did not believe the attacker had made any changes.

The company said its investigation was ongoing and that it was in close contact with the FBI and the US Department of Justice.

The incident disabled Uber’s internal messaging system, forcing staff to communicate via Salesforce-owned app Slack.

The hacker in question, who uses the name “teapotuberhacker”, also claimed to have leaked early gameplay footage of Rockstar Games’ upcoming game Grand Theft Auto VI on Monday.

Uber has said that the hacker who attacked it, is affiliated with the Lapsus$ group, known for stealing data from companies such as Microsoft, Cisco, NVIDIA, Samsung and Okta with the aim of extorting payments from them.

Hiring spree

The day after Uber’s latest breach was revealed, it emerged the firm had embarked on a hiring spree for security personnel.

Frank McGovern on Twitter noted that a number of open cybersecurity roles at Uber had suddently appeared on LinkedIn last Friday, just one day after the ride-hailing tech giant confirmed the breach to the public.

“Hey remember those roles we didn’t let you hire for? I secured funding.” pic.twitter.com/HGLdbvf9pV

— Frank McGovern (@FrankMcG) September 19, 2022

Vacant positions include ‘senior security incident commander’ to lead incident response; a number of ‘senior security engineers’ at various locations; a ‘senior security engineering manager’ at the company’s threat detection division; and a ‘senior security engineer’ for its investigations unit.

Previous hacks

The adverts for cybersecurity professionals comes after the ride hailing giant suffered multiple cyberattacks over the past eight years.

Back in 2015 for example, Uber waited five months to report that it had been hacked in September 2014 – after details of hundreds of its drivers were leaked online.

Social security numbers, pictures of driver licenses, and vehicle registration numbers were among the details accidentally revealed by the taxi company, with as many as 647 drivers thought to have been affected across the US.

And much worse was to follow in 2016, when Uber again concealed a data breach that exposed data from 57 million customers and drivers.

The 2016 hack resulted in no financial details or journey records being stolen by the hacker, but the attackers were paid $100,000 in bitcoin to delete the files. That said, some personal information was stolen and there was no guarantees the data was actually destroyed.

To make matters worse, Uber actually used its “bug bounty” program (normally used to identify small code vulnerabilities), to pay off the hackers (one of whom was to be an unidentified 20-year-old man in Florida).

Uber came clean about the incident in November 2017, after newly installed CEO Dara Khosrowshahi became aware of the breach, after joining the firm.

Read More: What on Earth was Uber thinking?

Khosrowshahi’s admission in 2017 that Uber had not revealed the breach for over a year prompted an investigation by European authorities.

The British Information Commissioner’s Office (ICO) fined the company 385,000 pounds ($490,760), while the Dutch Data Protection Authority (DPA) slapped Uber with a 600,000 euro ($678,780) fine.

Uber in September 2018 also announced that it would pay $148m to settle legal action over the attack.

Then in August 2020 federal prosecutors in the United States formally charged the former head of security at Uber (Joseph Sullivan), for concealing its controversial data breach in 2016.

His trial began earlier this month in San Francisco – and his trial is believed to be the first case of an executive facing criminal charges over such a breach.