Uber Responding After ‘Cybersecurity Incident’

Ride-hailing firm Uber has confirmed it is “currently responding to a cybersecurity incident,” after reports emerged it had been hacked.

The confirmation came after the New York Times reported that a hack had accessed the company’s network and forced it to take several internal communications and engineering systems offline. It reported that the hacker claimed to be 18 years old.

This is not the first time that Uber has been hacked. Uber waited five months to report that it had been hacked in September 2014 after details of hundreds of its drivers were leaked online.

Previous hacks

Social security numbers, pictures of driver licenses, and vehicle registration numbers were among the details accidentally revealed by the taxi company, with as many as 647 drivers thought to have been affected across the US.

But much worse was to follow in 2016, when Uber again concealed a data breach that exposed data from 57 million customers and drivers.

The 2016 hack resulted in no financial details or journey records being stolen by the hacker, but the attackers were paid $100,000 in bitcoin to delete the files. That said, some personal information was stolen and there was no guarantees the data was actually destroyed.

To make matters worse, Uber actually used its “bug bounty” program (normally used to identify small code vulnerabilities), to pay off the hackers (one of whom was to be an unidentified 20-year-old man in Florida).

Uber came clean about the incident in November 2017, after newly installed CEO Dara Khosrowshahi became aware of the breach, after recently joining the firm.

Read More: What on Earth was Uber thinking?

Khosrowshahi’s admission in 2017 that Uber had not revealed the breach for over a year prompted an investigation by European authorities.

The British Information Commissioner’s Office (ICO) also fined the company 385,000 pounds ($490,760), while the Dutch Data Protection Authority (DPA) slapped Uber with a 600,000 euro ($678,780) fine.

Uber in September 2018 also announced that it would pay $148m to settle legal action over the attack.

Then in August 2020 federal prosecutors in the United States formally charged the former head of security at Uber (Joseph Sullivan), for concealing its controversial data breach in 2016.

His trial began earlier this month.

Fresh breach

Now five years after those multiple breaches, it seems that Uber has been compromised again, when it tweeted that it was responding to ‘cybersecurity incident’ after reports of hack of its internal systems.

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.

— Uber Comms (@Uber_Comms) September 16, 2022

Uber’s ride hailing service, which operates in more than 10,000 cities around the world, appears to have been unaffected.

According to the New York Times, the hacker compromised the employee workplace messaging app Slack and used it to send a message to Uber employees announcing that it had suffered a data breach.

Screenshots appearing to show Uber’s hacked internal systems have appeared on Twitter.

It seems as though the hacker was able to gain access to other internal company systems, posting an explicit photo on an internal information page for employees, according to the New York Times.

The Slack system was taken offline on Thursday afternoon by Uber after employees received the message from the hacker.

“I announce I am a hacker and Uber has suffered a data breach,” the message reportedly read, going on to list several internal databases that were claimed to be compromised.

The New York Times reported that the person who claimed responsibility for the hack said they gained access through social engineering – which is where a hacker tricks a staff member into granting them access.

The hacker reportedly sent a text message to an Uber worker claiming to be a company tech employee and persuaded the worker to hand over a password that gave them access to the network. The hacker, who had provided a Telegram account address, reportedly said they broke in because the company had weak security.

Staff at the company were instructed to not use Slack. Other internal systems, too, were reportedly inaccessible.

Social engineering

The fact that the hacker utilised social engineering as his attack vector has been noted by Jake Moore, global cyber security advisor at ESET.

“This attack has left Uber with a significant amount of data leaked with the potential of including customer and driver’s personal data,” noted Moore.

“This is seemingly the work of a clever socially engineered attack highlighting once again the importance of training staff to remain eagle eyed and with the ability to spot targeted phishing attempts and double check before handing over any sort of credentials.”

“Gaining entry to private data inside VPNs needs to be difficult and behind strict protections,” said Moore. “Using a simple SMS as a vehicle to hack into their systems now leaves Uber with a lot of questions about how much data was compromised via such an easy method.”

Human risk

Meanwhile Ian McShane, VP of strategy at Arctic Wolf said this incident demonstrates how humans are often the weakest link in any organisation’s security regime.

“Uber is renowned for having some of the best cybersecurity in the business so the fact they have been compromised points to what we should all know, nobody’s perfect and even the best managed security organisations can be compromised,” said McShane. “The key is how quickly you respond and mitigate the issue which they appear to have done here.”

“While no official explanation has been provided yet, someone claiming to be the attacker explains that initial access was gained through social engineering – contacting an unwitting Uber staff member, pretending to be tech support and resetting their password,” noted McShane. “Then the intruder was able to connect to Corporate VPN to gain access to the wider Uber network, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share.”

“This is a pretty low-bar to entry attack and is something akin to the consumer-focused attackers calling people claiming to be MSFT and having the end user install keyloggers or remote access tools,” said McShane. “Given the access they claim to have gained, I’m surprised the attacker didn’t attempt to ransom or extort, it looks like they did it “for the lulz.”

“Attacks that make use of insider threats and compromised user credentials continue to grow – by 47 percent according to the 2022 Ponemon Institute report and it’s proof once again that often the weakest link in your security defences is the human,” said McShane.

“It is therefore critical that you manage that risk by running regular training and security awareness sessions while running around-the-clock monitoring, detection, and response, as well as other security operations solutions to reduce risk and keep your organisation protected,” McShane concluded.