Uber Taxi car on the road showing Uber data breach by third party vendor

Uber Data Breach of Employee Information Caused by Third-Party Vendor

A new Uber data breach that took place on December 12 has reportedly compromised the information of about 77,000 employees. The incident has been traced back to a third-party vendor, and the stolen data has been posted to a dark web forum.

The breach resulted in the theft of a variety of internal company information; in terms of impact to individual employees, email addresses, company ID numbers and Windows Active Directory information was taken. The thieves also got away with source code and other internal corporate data.

Uber data breach does not appear to be for profit, data dumped freely to dark web

There were some initial reports that the Lapsus$ hacking group was involved due to the forum post making reference to them, but Uber says that it does not believe the group was responsible. The incident would not fit with their MO, which is to steal money for the reclusive country’s government.

The hacker instead appears to be freely dumping all the information from the Uber data breach on the dark web. The stolen data comes from Uber, Uber Eats, and third-party vendors Teqtivity (an IT asset tracking service) and TripActions (a corporate credit card management company).  TripActions has stated that it was not breached, and media outlets are reporting that Teqtivity was the source of the initial compromise. Uber has only said that it believes a third-party vendor is responsible, and Teqtivity has published a data breach notification indicating that an attacker gained access to one of its Amazon AWS cloud servers.

The data that has been posted to the dark web thus far includes source code for the mobile device management platforms of all of these companies, IT asset management information, corporate reports, data destruction reports, and Windows domain login names. About 77,000 employees are thought to be impacted. The archive files from the Uber data breach are thought to contain about 20 million records in total.

As Paul Bischoff (privacy advocate at Comparitech) observes, in a way, it is worse that the attacker is doing a “hacktivist” sort of public dump of the stolen data as it means that phishing attempts that make use of it will come in faster and be more frequent: “The leaked data included email addresses and active directory info for thousands of Uber employees. Given that the data is now publicly accessible, as opposed to being sold to a single party, anyone could use it to launch targeted phishing attacks against Uber employees. These attacks could trick Uber staff into giving up login credentials, leading to further, more consequential attacks. Even if only a handful of employees out of the 77,000 affected were to fall victim to a phishing scam, it could be detrimental to Uber and its customers.”

Attack on third-party vendor thought to be separate from earlier data breach

The assumption of a connection to Lapsus$ is a natural one, as the notorious APT group was responsible for a different Uber data breach that took place in September (as part of a general wave of thefts spanning the past year). That attack involved direct penetration of Uber’s internal network, and the company believes an older password that had not been scrubbed from the system was purchased via the dark web. Those hackers penetrated a company Slack channel and exfiltrated some financial information. However, the current hacker appears to have been making some sort of a cheeky reference to that incident rather than being affiliated with the group.

Uber employees and third-party vendors were likely already on alert for phishing scams due to this recent breach, but have been reminded that the stolen internal information will likely be used to target them in the hopes of once again penetrating the company. Even if the thieves took all available business information, there is likely customer personal data and payment information that they did not access and would be interested in returning for.

The fact that Teqtivity was breached could mean that more companies will end up being involved. The third-party vendor does not appear to list its clients publicly, but its breach notification leaves open the possibility that other organizations were impacted.

Though a third-party vendor is thought to be responsible in this case, Uber has had a rocky ongoing relationship with cybersecurity since its customer and driver records were infamously leaked in 2016. The associated attempt to pay off the hackers while covering up the incident recently concluded in a conviction for former Chief Security Officer Joe Sullivan, who was found to have attempted to conceal the scope of the incident from incoming new management and company lawyers. Uber Eats has also been breached before, in a relatively small 2018 incident that saw several hundred customer and driver files appear on the dark web.

Nick Tausek, Lead Security Automation Architect at Swimlane, notes that these previous breaches have been bad for Uber’s financial fortunes: “As Uber attempts to recover leaked data, it is also experiencing reputational and financial fallout from its second major cyber incident in three months. In September, Uber shares fell 5.2% with news of the data breach, making it likely that the company will suffer the same fate in the days following this incident … The September Uber breach was exacerbated by lax security policies at Uber, including storing sensitive credentials on network shares. Unfortunately, the most recent attack highlights the company’s vulnerability despite the protection of a third-party vendor. To better defend against similar cyber incidents, it is essential that companies like Uber adopt systemwide, low-code security automation.”

And A.N. Ananth, chief strategy officer at Netsurion, observes that while Uber may have taken some security lessons from its previous misfortunes this knowledge may not have made its way to its interactions with third-party vendors: “From the previous Uber data breach, it was suggested that the hacker gained initial access by bombing an internal user with repeated MFA requests till he accepted one just to make it stop. The lesson learned is that MFA is not a silver bullet, and that MFA fatigue is a thing now. After all, who can ignore 300 MFA messages at 3 AM ostensibly from the IT Dept? Another lesson here is that just as we setup limits on password retry and disable accounts to prevent brute force password guessing, so also, we must setup MFA exhaust limits. Once this initial access was gained, the attacker uncovered PowerShell scripts which had hardcoded passwords for admin accounts. This allowed lateral movement. The lesson is here obvious – convenience is the enemy of security. Lastly, we can all bemoan that ‘users are the weakest link’ but given an ‘assume breach’ mentality, the takeaway is perform social engineering assessments, in addition to usual vulnerability scans.”

Dr. Ilia Kolochenko, Chief Architect & CEO of ImmuniWeb, echoes the point that this particular Uber data breach should be a caution to organizations to review the state of their relationships with third-party vendors, no matter how confident they may feel in their own internal security: “Vulnerable third parties are usually the weakest link of tech giants like Uber. After the recent criminal conviction of ex-executive of Uber in relation to the 2016 data breach, Uber has likely boosted its investments into cybersecurity. Despite all the efforts, controlling your external vendors is an arduous and costly task, which is often underfunded and underprioritized compared to other security processes. Unsurprisingly, pragmatic cybercriminals hit the most vulnerable party to extract valuable data from Uber, which can be now exploited to further sophisticated attacks. For instance, cybercriminals will likely exploit the stolen information about Uber’s network architecture and personal data of employees for advanced spear-phishing or password-spraying attacks, trying to break into Uber’s internal networks and get access to customer databases. Their chances to succeed are unfortunately quite high in view of the confidential information allegedly in their possession. From a legal viewpoint, this third-party data breach is disastrous news for Uber that may be now accused of systematic failures to implement necessary security controls, as well as of a flawed information security management system. Given the size and impact of the breach, both federal and state US agencies may go after the breached supplier and Uber.”