Uber Makes Headlines After New Social Engineering Attack
On September 15, 2022, it was reported that American mobility as a service provider Uber was hit with another massive data breach that was impacting the company’s entire network. Likewise, this breach is alleged to have been more damaging than the last major breach that the company experienced in 2016, an incident that resulted in the personal information of more than 57 million users being disclosed to the general public. To this point, Uber initially tried to cover up the occurrence of the data breach that took place in 2016 by offering to pay the hackers who had launched the attack $100,000 in bitcoin. Nevertheless, the truth of this coverup was ultimately revealed by a Federal Trade Commission (FTC) investigation that was conducted nearly a year later.
Given this background information, Uber will undoubtedly be facing a huge amount of criticism and public scrutiny as it pertains to the manner in which they choose to handle the most recent data breach that unfolded this week. To this end, the hacker that performed the attack “is believed to have breached multiple internal systems, with administrative access to Uber’s cloud services including on Amazon Web Services (AWS) and Google Cloud (GCP).” Subsequently, in a New York Times article that broke the news earlier this week, this hacker in question sent a text message to an Uber employee under the guise of being a “corporate information technology personnel.” In turn, this social engineering attack enabled the hacker to infiltrate Uber’s purportedly weak security network, as even the company’s internal messaging system Slack was taken offline.
The risks of social engineering attacks
In contrast to other forms of cybercrime, where a hacker may attempt to access an online network or database through brute force tactics or other similar methods, social engineering attacks instead look to instill a certain level of trust in an employee that works for the company, usually under the premise of being a fellow legitimate employee, before taking advantage of this trust to launch a cyberattack. Once a cybercriminal is able to obtain the credentials of an employee that works for a company such as Uber, they will then have the resources and information necessary to take down the online systems of a business with relative ease, as has been showcased with Uber’s most recent data breach.
As stated by Acronis’ CISO Kevin Reed in a message posted to the social media website Linkedin, “Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, Uber slack management interface…This looks bad. What’s worse is if you had your data in Uber, there’s a high chance so many people have access to it.” However, in spite of the numerous details concerning the cyberattack that have been confirmed, it is still unknown how the hacker in question was able to get past the two-factor authentication process once they had access to the login credentials of an Uber employee.
Uber’s most recent data breach settlement
If the data breach that Uber sustained in 2016 is any indication, the breach that occurred this week may very well result in a multi-million dollar settlement for any aggrieved parties, depending on the legal actions that are undertaken in response to Uber’s alleged lapse in security. This being said, Uber agreed to pay $148 million dollars in a nationwide settlement that the company reached with Washington D.C. Attorney General Karl A. Racine in September 2018. Furthermore, Uber was also required to “strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future”, as well as pay $2.62 million directly to Washington D.C.
In addition to the huge monetary settlements that Uber was ordered to pay in 2018, former security officer Joe Sullivan was also indicted on criminal charges in response to his alleged attempts to cover up the data breach by offering to pay the hackers who launched the attack $100,000 in bitcoin, in accordance with a Non Disclosure Agreement (NDA) that he also reportedly had the cybercriminals sign before he relinquished payment. In a case that is believed to be the first instance of a major executive of a company being criminally liable for their role in a data breach. Sullivan was “charged with 3 counts of three counts of wire fraud, in violation of 18 U.S.C. § 1343; obstruction of justice, in violation of 18 U.S.C. § 1505; and misprision of a felony, in violation of 18 U.S.C. § 4.”
While data breaches have become extremely common in our modern society due to the inherent role that the internet plays in daily life, this fact does not negate the huge risks that such occurrences pose to everyday working people. For this reason, irrespective of the legitimacy behind Uber’s most recent alleged cyberattack, it is imperative that the company handles this event with more diligence and care than has been displayed when similar events unfolded in the past, as even if the company is able to dodge another costly monetary settlement, they will still be faced with the reputation harm that has come to be associated with businesses that experience repeated data breaches over a relatively short period of time.