- Give this article Give this article Give this article
Advertisement
Supported by
Uber Investigating Breach of Its Computer Systems
The company said on Thursday that it was looking into the scope of the apparent hack.
Send any friend a story
As a subscriber, you have 10 gift articles to give each month. Anyone can read what you share.
By Kate Conger and Kevin Roose
Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack.
The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.
“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”
An Uber spokesman said the company was investigating the breach and contacting law enforcement officials.
Uber employees were instructed not to use the company’s internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly.
Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach.” The message went on to list several internal databases that the hacker claimed had been compromised.
The hacker compromised a worker’s Slack account and used it to send the message, the Uber spokesman said. It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees.
The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems, a technique known as social engineering.
“These types of social engineering attacks to gain a foothold within tech companies have been increasing,” said Rachel Tobac, chief executive of SocialProof Security. Ms. Tobac pointed to the 2020 hack of Twitter, in which teenagers used social engineering to break into the company. Similar social engineering techniques were used in recent breaches at Microsoft and Okta.
“We are seeing that attackers are getting smart and also documenting what is working,” Ms. Tobac said. “They have kits now that make it easier to deploy and use these social engineering methods. It’s become almost commoditized.”
The hacker, who provided screenshots of internal Uber systems to demonstrate his access, said that he was 18 years old and had been working on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak security. In the Slack message that announced the breach, the person also said Uber drivers should receive higher pay.
The person appeared to have access to Uber source code, email and other internal systems, Mr. Curry said. “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life,” he said.
In an internal email that was seen by The New York Times, an Uber executive told employees that the hack was under investigation. “We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” wrote Latha Maripuri, Uber’s chief information security officer.
It was not the first time that a hacker had stolen data from Uber. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the data. Uber arranged the payment but kept the breach a secret for more than a year.
Joe Sullivan, who was Uber’s top security executive at the time, was fired for his role in the company’s response to the hack. Mr. Sullivan was charged with obstructing justice for failing to disclose the breach to regulators and is currently on trial.
Lawyers for Mr. Sullivan have argued that other employees were responsible for regulatory disclosures and said the company had scapegoated Mr. Sullivan.
More From Forbes
Uber hack update: was sensitive user data stolen & did 2fa open door to hacker.
- Share to Facebook
- Share to Twitter
- Share to Linkedin
Uber has comfirmed it is investigating a cybersecurity incident
September 18 update below. This post was originally published on September 15
The New York Times is reporting that Uber has been hacked . Here's what we know so far concerning this breaking story.
The ride-hailing and food delivery company has suffered a systems breach, according to the report, with employees unable to access internal tools such as Slack. One employee resource page is said to have had a not safe for work image posted to it by the hacker. A bug bounty hunter and security engineer not involved in the alleged hack has posted a comment that is attributed to an Uber employee, who wished to remain anonymous, which claims they were told to stop using Slack and "anytime I request a website, I am taken to a page with a pornographic image" and the message 'f*** you wankers.'
Another bug bounty hunter has tweeted a screenshot , allegedly from the hacker, where they state, "I announce I am a hacker and Uber has suffered a data breach. Slack has been stolen..." with a hashtag of #uberunderpaisdrives
What has Uber said about the hack?
I reached out to Uber for a comment and was pointed to an official statement posted to Twitter which reads: "We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available."
Best Travel Insurance Companies
Best covid-19 travel insurance plans.
I have seen messages from someone who claims various Uber admin accounts are under their control. A New York Times reporter says that the hacker tells them he is 18 years old and hacked the Uber systems because "they had weak security." He further claims this was accomplished through the social engineering of an Uber employee to obtain login credentials.
September 18 update
Uber still hasn't had much to say publicly about the incident which appears to have allowed extensive access to internal systems. This is not all that surprising as investigations are ongoing. Most nearly all the evidence of the hack has come from the alleged hacker themselves, in the form of multiple postings and screenshots. However, the Uber and Uber Eats PR team, posting via the @Uber_Comms Twitter account and at the Uber Newsroom online, have released a security update .
Uber confirms incident and says no evidence of sensitive user data exposure
This confirms that the investigation and response efforts continue and states that Uber has "no evidence that the incident involved access to sensitive user data (like trip history)" while confirming all Uber services are operational. The update also says that internal software tools that were initially taken offline are also back in operation.
Which is great news as far as it goes. The problem is that the more cynical of readers may cite the very specific language used as not providing real clarity. Saying 'no evidence' is not the same as saying it hasn't happened, combine that with 'sensitive user data' that is only defined in the statement as being 'like trip history', and there are more questions than answers here. Especially given the lack of any statement surrounding the extent of the network breach, the systems accessed, and the level of access acquired by the hacker. One can only hope that such clarity is provided in the coming days and weeks. There hasn't been any notification in my Uber app on the iPhone, so one assumes that there will be users who are blissfully unaware that any cybersecurity breach has even happened.
Did MFA fatigue open the door for the Uber hacker?
Where there does appear to be a little more clarity is in the initial attack technique likely used to pry the Uber system’s front door open. The alleged hacker has boasted about how they used what is known in the cybersecurity industry as MFA fatigue as a weapon. Multi-Factor Authentication, which most non-technical users will think of as Two-Factor Authentication (2FA) is a worthy layer in overall network defenses. However, the hacker has claimed that Uber was using 'push authentication' (where the user is asked if it's them logging in on a device such as their laptop or smartphone), and a targeted employee was spammed with these "for over an hour." The hacker says the user was then contacted via WhatsApp under the guise of being from the Uber IT team and told they needed to accept the authentication request in order to stop them from continuing. "He accepted and I added my device," the hacker claims.
Abhay Bhargav, CEO at AppSecEngineer, says that it appears the MFA phishing attack "led to a PowerShell script getting discovered, with admin credentials to their Thycotic PAM (Privileged Access Management) tool. With all credentials being part of this PAM solution, now the entire org was compromised because the PAM had access to Amazon Web Services (AWS), Google Workspace, Slack and more."
Uber security vulnerability reports could have been stolen
Bleeping Computer has been in contact with the alleged hacker and has seen screenshots showing access to "critical Uber IT systems" that include security software, Amazon Web Services console, Google Workspace email admin dashboard and the aforementioned Slack server. It would also appear that the hacker gained access to Uber's HackerOne vulnerability bug bounty account, leaving comments on a number of report tickets. This could yet prove to be one of the most valuable resources from the attacker's perspective, as it has been claimed that Uber's vulnerability reports were downloaded. Marten Mickos, the HackerOne CEO, has stated that the Uber account has been locked down and the company is working with Uber to assist in the investigation.
"This attack has left Uber with a significant amount of data leaked with the potential of including customer and driver’s personal data," Jake Moore, global cyber security advisor at ESET, said. "This is seemingly the work of a clever socially engineered attack. Gaining entry to private data inside VPNs needs to be difficult and behind strict protections. This leaves Uber with a lot of questions about how much data was compromised via such an easy method."
It is not known what, if any, customer data might have been accessed at this point in time. This is a developing story, and I will keep updating it as more details emerge.
- Editorial Standards
- Reprints & Permissions
Uber Users: What You Need to Know about Last Month’s Data Breach
MET cybercrime expert on how hacker likely gained access to company data and systems
Educating employees is crucial to prevent hacks, BU cybersecurity expert says. File photo by Jeff Chiu/AP Photo
Lindsay Shachnow (COM’25)
Last month, the internal databases of American multinational ride-share company Uber were hacked . The unnamed 18-year-old who claimed responsibility for the hack said Uber’s ineffective security measures made the breach possible. The hacker, who was eventually arrested and is in police custody, is said to have gained access to Uber’s secure data through “social engineering,” which means manipulating or deceiving someone, often with email or phone calls, to gain access to personal or financial information. These manipulation methods are becoming commonplace in the world of cybercrime. By posing as a corporate information technology worker, the hacker claimed to have convinced an Uber contractor to reveal the password to Uber’s systems. Uber says it is also possible the hacker bought the corporate password on the dark web.
According to Uber, having obtained the contractor’s password, the hacker sent repeated log-in requests to the contractor’s account and was then able to bypass Uber’s two-factor log-in authentication—a system where a user is granted access after electronically confirming their identity twice—when the contractor finally accepted the authentication. The hacker was also admitted to the Uber Slack account and posted a message that read: “I announce I am a hacker and Uber has suffered a data breach.”
A security update from Uber says they believe the cybercrime group Lapsus$ is responsible for the attack. “We’re working with several leading digital forensics firms as part of the investigation,” Uber writes. “We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks.”
BU Today spoke with Kyung-shick Choi (MET’02), a Metropolitan College professor of the practice and director of its Cybercrime Investigation & Cybersecurity programs , about the implications of the hack and how companies and users can protect themselves.
This interview has been edited for length and clarity.
with Kyung-shick Choi
Bu today: can you briefly describe the scope of uber’s security breach.
Choi: Uber’s security breach is quite an interesting case, because unlike other major breaches, I wonder if the hacker attained what they really wanted to attain. I was expecting some sort of ransomware attack so they could seek financial gain. But this time, it looks like they didn’t really get much. Of course, maybe Uber’s cybersecurity quickly responded to the incident, but they clearly stated they hacked right on the Slack. And so to me, that’s much more what the motivation could be. They already identified the potential suspect, Lapsus$. It’s a Brazilian hacker group—I presume a group of teenagers. We call them “cyber punks.” They have been really active recently and are gaining fame. I think maybe that’s why they were aiming at such a huge company.
BU Today: Can you talk about their methods, how they possibly gained access?
Choi: According to Uber, the hacker group purchased the log-in password from the dark web. It’s very common that hackers are trading, selling, and buying older password and log-in names. So consider, if they are cyber punks and not extremely skillful, just getting the credential through the dark web is the easiest way to commit crime, rather than a complicated hacking process. So maybe that’s what’s happening in this case. Now, Uber has a two-factor authentication system, and so that’s double protection. With two-factor authentication, you get that notification and you have to press the buttons. So maybe [an Uber worker] thought, okay, I did it, and so they approve. So that’s one way, and that’s pure luck to be honest, if [the hackers] did it that way. Another way, if they’re really dedicated hackers, [is to] get deeper into the system. And then they [would] escalate the privilege and change the information to switch the contact to their own. It has to be a burner phone so that you can get your own authentication using the burner. That’s what pretty skillful hackers do, but it looks like the [Uber hackers were] not at that level. That’s my assumption. But normally cyber punks try and try and try, and can kind of luckily get in.
BU Today: What are the potential ramifications for users and their data as a result of the hack?
Choi: Personal data is so important. Every single person’s data can be weaponized and used against them. Your data can be used for criminal purposes, for account takeover, or financial gain. And then, of course, [hackers] can sell the information. And that’s why privacy is so important, in that we really have to protect ourselves. I can expand it to sexual crime. And so if hackers find out the date of birth, location, and all of that, they can stalk people and then even commit sextortion. I’ve seen those cases a lot. People think, oh, this is just one hack. But it’s not just one hack. The damage could be substantial to individuals, families, and the community at large. That’s why we have to be really cautious.
BU Today: What data is believed to be compromised by the attack?
Hackers downloaded the financial information from Slack. The financial information could be anything. It could be invoices or employment information. So, I think [Uber and the authorities] are currently investigating that and what types of information were compromised. According to them, nonsensitive data was exposed, but we don’t know until we really see what happened. Credit card information is encrypted and so that information is safe, and other travel information is secure. I think right after the incident [Uber] reported it to law enforcement and now the FBI is involved. I think [Uber] did the right thing, so once the FBI gets involved and they do a very extensive investigation, we will receive much more accurate information.
BU Today: Do you think Uber handled the situation well?
I didn’t see the evidence. If I investigated it, then maybe I could see the log file and when they really got hacked. In most hacking incidents, especially on a big scale, the corporations don’t report the victimization right away. I hope Uber reported it right away. At least the suspect and the hacking group left a message, but we don’t know when they really started. And so maybe they spent extensive time, maybe a month of time, until they got to that stage. Commonly, major cases are similar in that way because [hacked companies] don’t want to ruin their reputation from the corporate side. They don’t want to give bad images to the public. Who’s going to use Uber if they constantly get hacked? In this case, [Uber] saw the sign of the hack and they reported it to law enforcement. I think that’s the right way to do it. And that’s why maybe the damages, according to Uber, are minimal. Although, we don’t know yet.
BU Today: Are other rideshare apps vulnerable to similar attacks?
Of course. Because of the tendency of hackers, if they are professional hackers, they will never attack headquarters, because headquarters have a lot of security built right there. All the major hacks, if you really examine them, are not really happening by directly hacking into the main server. [Hackers] are always finding the small vendors. The size of the company could be very small. That’s a vulnerability right there. That’s also how you handle digital information, and that’s very important. But definitely Lyft and all the others should be careful. So that means they need to educate their employees.
BU Today: What steps should Uber and other rideshare apps take to prevent similar attacks in the future?
I have my own theory and my theory has become dominant in computer crime victimization. It’s called “cyber-routine activities theory.” Very simple. There are two factors that contribute to computer crime victimization. So either online behavior, that means a human error, and/or there’s a security issue. Business emails getting compromised is always the number one computer crime victimization throughout the history of the internet or email. Then another factor is cybersecurity. What if you don’t have basic protection? What if you don’t have the internal security management? Meaning, do you have a strong policy in place in your company? If something happens, incident response is so important. If you don’t have an incident response policy…they have everything. You just have to wait for law enforcement and watch the hackers stealing every single thing. You cannot do anything because you don’t know what to do. Also important is educating employees. It’s critical. Many [hacking] cases, I would say close to 50 percent, come from an insider. So that’s why you have to maintain all the security credentials, especially when [employees] leave the company. Revenge is a huge factor. [If] they’re not just leaving nicely…[if] they’re doing something with it, maybe selling the information, or sharing all the credentials, or selling it to the dark web.
BU Today: It’s believed the hacker potentially gained access to Uber’s internal systems through a psychological manipulation tactic referred to as social engineering. How can Uber and other companies better prepare and train their employees to identify these persuasive techniques?
The effective training has to be hands-on training. So statistically speaking, hands-on training really boosts your long-term memory. This type of training is essential so that you feel it when you click it and see what happens. Our programs at MET are designed to train our future law enforcement in cybercrime investigation and cybersecurity. We’re creating a scenario. So we have a suspect and a victim. Students really feel it. They are investigating the case and see how [the hacker] sends a phishing email and they really observe. Also, technology quickly evolves, almost everyday. And then our online behavior quickly adapts. The companies should think about that and the changing technology. Companies should really know their employee populations and the characteristics for using social media, for example.
BU Today: How can users protect themselves and their personal data when using rideshare apps?
Anytime you hear an incident has happened, the first thing you have to do is change your passwords. If you see anything happen, like a hacking incident from the company side, I highly recommend changing passwords so [hackers] cannot do anything further. And so of course, never use the password you have used before. If I were an Uber customer, I would have a very strong password. And be careful when you download apps, by making sure you are downloading genuine apps, because there are lots of replicated ones.
Explore Related Topics:
- Cybersecurity
- Digital Learning
- Public Safety
- Share this story
- 4 Comments Add
Lindsay Shachnow (COM’25) Profile
Comments & Discussion
Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.
There are 4 comments on Uber Users: What You Need to Know about Last Month’s Data Breach
Excellent interview with Dr. Choi. Very important points to consider regarding doing what we can to take responsibility to be more cyber-safe.
Dr. Choi states, “Hackers downloaded the financial information from Slack. The financial information could be anything. It could be invoices or employment information.”
I have never seen invoices or financial information stored in Slack. Can someone elaborate?
Other patterns to look for:
Get an email from or about old bank accounts or companies you’ve had dealings with. This could be an indicator of a compromise. One should think “Did I initiate this?” If you didn’t be suspect of that information.
As a active defender in cybersecurity, I can say we the fronts are being fought with very complex hacking methods and defenses. One that often get skipped is the human element.
We can secure information in a variety of ways, and almost all of them can be undone with the human factor. People may very well still be our best line of defense against cyber threats.
Protection against the threat actors is not just the responsibility of cybersecurity professionals, we work with you, to help protect you. The better informed our human firewalls are the more armed they to stop these threats, even the lazy ones.
@emily “I have never seen invoices or financial information stored in Slack. Can someone elaborate?”
I’m going to assume a lot here: Slack does have inherent security protocols, that companies often deem “internal”. So with an internal slack channel companies and employees feel these pathways are safe to divulge sensitive information. This is understandable for the following: Teams are separated with remote work and pandemics Teams maybe separated by buildings or someone is out of the office etc..
All viable reasons, but while the measure are there to protect the information systems, it doesn’t take into account “what if someone else sees it” from over the shoulder to screen capture.
So good security best practice is even in slack (secure channels) the assumption should be ” is this information valuable to someone other than the intended recipient?” If your answer is YES?
ENCRYPT or DO NOT POST IT in slack. Logs exists for many reasons, but historical data that is not redacted, backed up, or secured is always a risk.
Back to the human element. Its easier for the team to work remotely if we can post invoices in slack for quick viewing. That same ease of workflow, also provides ease of access to information that should be guarded,
Even if the intent is to improve, the risk of that improvement should be mitigated.
I am an uber driver and I feel as if my phone has been hacked ever since the end of August 2022. My phone company, us cellular can’t seem to figure out what is going on with my service not working. Even a new phone didn’t fix the problem.
Post a comment. Cancel reply
Your email address will not be published. Required fields are marked *
Related Stories
MassMutual Donates $1 Million to BU’s Faculty of Computing & Data Sciences
Using Data Science to Address the Gender and Racial Wage Gap
Students’ Pronouns and Gender Identities Are First Change in BU’s Updated Data System
MassMutual Gives $3 Million to Faculty of Computing & Data Sciences
Latest from bu today, pov: massachusetts can finally measure the health of primary care, award-winning author tracy kidder’s rough sleepers focuses on bu’s jim o’connell, astronomy class ponders life beyond earth, 2023 academic advising awards go to christopher schmitt and matt bae, men’s lacrosse looks to defend patriot league title, alternative service break trips return to normal after three years, getting to know your neighborhood: jamaica plain, lgbtqia+ bu student task force report makes recommendations for achieving a more inclusive bu, staying in boston for spring break there’s plenty to do, video: the mystery behind bu’s record-breaking indoor track, bu opts against forswearing investments in gun manufacturers, 11 books to read in celebration of women’s history month, today i learned: the smell of formaldehyde makes you hungry, new music march 2023: local boston concerts, new album releases, comics artist joel christian gill launches bu’s new visual narrative mfa degree, pov: lincoln struggled with depression. what we can learn from it today, biden’s legal strategy could result in supreme court scuttling his student loan cancellation program, study abroad planning: a bu student offers tips, tricks, and insights, the week ahead: february 27 to march 5, should tech companies be held accountable for letting terrorists on their sites.
Data Breaches That Have Happened in 2022 and 2023 So Far
Data breaches have been on the rise for a number of years, and sadly, this trend isn't slowing down. The last year or so has been littered with thefts of sensitive information. Data breaches have affected companies and organizations of all shapes, sizes, and sectors, and they're costing US businesses millions in damages.
The widely-covered T-mobile data breach that occurred last year, for instance, cost the company $350 million in 2022 – and that's just in customer pay outs. This puts more onus than ever on businesses to secure their networks, ensure staff have strong passwords, and train employees to spot the telltale signs of phishing campaigns.
Below, we’ve compiled a list of significant, recent data breaches (and a couple of important data leaks) that have taken place since January 1, 2022, dated to the day they were first reported in the media.
February 2023
February 21.
Activision Data Breach: Call of Duty makers Activision has suffered a data breach, with sensitive employee data and content schedules exfiltrated from the company's computer systems. Although the breach occurred in early December 2022, the company has only recently revealed this to the public. According to reports, an employee's credentials were obtained in a phishing attack and subsequently used to infiltrate the system.
February 15
Atlassian Data Breach: Australian software company Atlassian seems to have suffered a serious data breach. A hacking group known as “SiegedSec” claims to have broken into the company's systems and extracted data relating to staff as well as floor plans for offices in San Francisco and Sydney. Included in the dataset are names, email addresses, the departments that staff work in, and other information relating to their employment at Atlassian.
“THATS RIGHT FOLKS, SiegedSec is here to announce we have hacked the software company Atlassian,” the hacking group said in a message that was posted along with the data. “This company worth $44 billion has been pwned by the furry hackers uwu.”
Although Atlassian initially blamed software company office coordination platform Envoy for the breach, the company later reneged on this, revealing that the hacking group had managed to obtain “an Atlassian employee’s credentials that had been mistakenly posted in a public repository by the employee.”
February 10
Reddit Data Breach: Reddit has confirmed that the social media company suffered a data breach on February 5. “After successfully obtaining a single employee’s credentials” Reddit CTO Christopher Slowe explained in a recent statement regarding the attack, “the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”
Slowe said that Reddit's systems show “no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data),” but did confirm that “limited contact information… for company contacts and employees (current and former), as well as limited advertiser information” were all accessed.
At present, Reddit has “no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”
Optus Data Breach Extortion Attempt: A man from Sydney has been served a Community Correction Order and 100 hours of community service for leveraging data from a recent Optus data breach to blackmail the company's customers. Initially arrested back in October of last year, the perpetrator sent SMS communications to 92 people saying that their personal information would be sold to other hackers if they didn't pay AU$ 2000.
Weee! Data Breach: 1.1 million customers of Asian and Hispanic food delivery service Weee! have had their personal information exposed in a data breach. A threat actor that goes by the name of IntelBroker posted some of the leaked data on the infamous hacking forum Breached. However, Weee! told Bleeping Computer that “no customer payment data was exposed” because Weee! does not retain any payment information.
Sharp HealthCare Data Breach: Sharp HealthCare, which is the largest healthcare provider in San Diego, California, has notified 62,777 patients that their personal information was exposed during a recent attack on the organization's website. Social Security numbers, health insurance data, and health records belonging to customers have all been compromised, but Sharp says no bank account or credit card information was stolen.
January 2023
JD Sports Data Breach: As many as 10 million people may have had their personal information accessed by hackers after a data breach occurred at fashion retailer JD sports, which owns JD, Size?, Millets, Blacks, and Scotts. JD Sports CFO Neil Greenhalgh told the Guardian that the company is advising customers “to be vigilant about potential scam emails, calls, and texts” while also “providing details on how to report these.”
T-Mobile Data Breach: T-Mobile has suffered another data breach, this time affecting around 37 million postpaid and prepaid customers who've all had their data accessed by hackers. The company claims that while it only discovered the issue on January 5th of this year, the intruders are thought to have been exfiltrating data from the company's systems since late November 2022.
As discussed in the introduction to this article, this is not the first time that T-Mobile has fallen victim to a high-profile cyber attack impacting millions of customers. In the aftermath of last year's attack, during which 76 million customers had their data compromised, the company pledged it would spend $150 million to upgrade its data security – but the recent attack raises serious questions over whether this has been well spent.
MailChimp Breach: Another data breach for MailChimp, just six months after its previous one. MailChimp claims that a threat actor was able to gain access to its systems through a social engineering attack, and was then able to access data attached to 133 MailChimp accounts. It's a bad sign for the company, as the attack method is startling similar to last year's breach, casting serious doubts on its security protocols.
PayPal Data Breach: A letter sent to PayPal customers on January 18, 2023, says that on December 20, 2022, “unauthorized parties” were able to access PayPal customer accounts using stolen login credentials.
PayPal goes on to say that the company has “no information” regarding the misuse of this personal information or “any unauthorized transactions” on customer accounts and that there isn't any evidence that the customer credentials were stolen from PayPal's systems.
Chick-fil-A Data Breach: fast food chain Chick-fil-A is investigating “suspicious activity” linked to a select number of customer accounts. The company has published information on what customers should do if they notice suspicious activity on their accounts, and advised such customers to remove any stored payment methods on the account.
Twitter Data Breach: Twitter users' data was continuously bought and sold on the dark web during 2022, and it seems 2023 is going to be no different. According to recent reports, a bank of email addresses belonging to around 200 million Twitter users is being sold on the dark web right now for as little as $2. Even though the flaw that led to this leak was fixed in January 2022, the data is still being leaked by various threat actors.
December 2022
December 31.
Slack Security Incident: Business communications platform Slack released a statement just before the new year regarding “suspicious activity” taking place on the company's GitHub account.
“Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27,” the company said. However, Slack confirmed that “no downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase”.
December 15
SevenRooms Data Breach: Threat actors on a hacking forum posted details of over 400GB of sensitive data stolen from the CRM platform's servers . The information included files from big restaurant clients, promo codes, payment reports, and API keys. However, it seems that the servers that were breached did not store any customer payment details.
LastPass Data Breach: Password manager LastPass has told some customers that their information was accessed during a recent security breach. According to LastPass, however, no passwords were accessed by the intruder. This is not the first time LastPass has fallen victim to a breach of their systems this year – someone broke into their development environment in August, but again, no passwords were accessed.
November 2022
November 11.
AirAsia Data Breach: AirAsia Group has, according to reports, suffered a ransomware attack orchestrated by “Daixin Team”. The threat group told DataBreaches.net that they obtained “the personal data of 5 million unique passengers and all employees.” This included name, date of birth, country of birth, location, and their “secret question” answer.
Dropbox data breach: Dropbox has fallen victim to a phishing attack, with 130 Github repositories copied and API credentials stolen after credentials were unwittingly handed over to the threat actor via a fake CricleCI login page.
However, Dropbox confirmed in a statement relating to the attack that “no one's content, passwords or payment information was accessed” and that the issue was “quickly resolved”. Dropbox also said that they were in the process of adopting the “more phishing-resistant form” of multi-factor authentication technique, called “WebAuthn”.
October 2022
Medibank Data Breach: Medibank Private Ltd, currently the largest health insurance provider in Australia, said today that data pertaining to almost all of its customer base (nearly 4 million Australians) had been accessed by an unauthorized party. The attack caused Medibank's stock price to slide 14%, the biggest one-day dip since the company was listed.
Vinomofo Data Breach: Australian wine dealer Vinomofo has confirmed it has suffered a cyber attack. Names, dates of birth, addresses, email addresses, phone numbers, and genders of the company's almost 500,000 customers may have been exposed – although it is currently unclear how many have been affected.
MyDeal Data Breach: 2.2 million customers of Woolworths subsidiary MyDeal, an Australian retail marketplace, has been impacted by a data breach. According to reports, the company's CRM system was compromised, with names, email addresses, telephone numbers, delivery addresses, and some dates of birth exposed during the breach.
Shein Data Breach: Fashion brand Shein's parent company Zoetop has been fined $1.9 million for its handling of a data breach back in 2018, one which exposed the personal information of over 39 million customers that had made accounts with the clothing brand.
The New York Attorney General's Office says Zoetop lied about the size of the breach, as the company initially said only 6.42 million accounts had been affected and didn't confirm credit card information had been stolen when it in fact had.
Toyota Data Breach: In a message posted on the company's website, the car manufacturer stated that almost 300,000 customers who had used its T-Connect telematics service had had their email addresses and customer control numbers compromised. The company assured customers that there was no danger of financial data such as credit card information, nor names or telephone numbers, having been breached.
In its statement, Toyota acknowledged that the T-Connect database had been compromised since July 2017, and that customers should be vigilant for phishing emails.
Singtel Data Breach: Singtel, the parent company of Optus, revealed that “the personal data of 129,000 customers and 23 businesses” was illegally obtained in a cyber-attack that happened two years ago. Data exposed includes “National Registration Identity care information, name, date of birth, mobile numbers, and addresses” of breach victims.
Possible Facebook Accounts Data Breach: Meta said that it has identified more than 400 malicious apps on Android and iOS app stores that target online users with the goal of stealing their Facebook login credentials. “These apps were listed on the Google Play Store and Apple's App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them,” the Tech giant said.
LAUSD Data Breach: Russian-speaking hacking group Vice Society has leaked 500GB of information from The Los Angeles Unified School District (LAUSD) after the US's second-largest school district failed to pay an unspecified ransom by October 4th. The ransomware attack itself first made the headlines in early September when the attack disrupted email servers and computer systems under the district's control.
September 2022
September 23.
Optus Data Breach: Australian telecoms company Optus – which has 9.7 million subscribers – has suffered a “massive” data breach. According to reports, names, dates of birth, phone numbers, and email addresses may have been exposed, while a group of customers may have also had their physical addresses and documents like driving licenses and passport numbers accessed.
The attackers are thought to be a state-sponsored hacking group or some sort of criminal organization and breached the company's firewall to get to the sensitive information. Australia's Information Commissioner has been notified.
The Australian government has said Optus should pay for new passports for those who entrusted Optus with their data, and Prime Minister Antony Albanese has already suggested it may lead to “better national laws, after a decade of inaction, to manage the immense amount of data collected by companies about Australians – and clear consequences for when they do not manage it well.”
September 20
American Airlines Data Breach: The personal data of a “very small number” of American Airlines customers has been accessed by hackers after they broke into employee email accounts, the airline has said. Information accessed could have included customers' date of birth, driver's license, passport numbers, and even medical information, they added.
September 19
Kiwi Farms Data Breach: Notorious trolling and doxing website Kiwi Farms – known for its vicious harassment campaigns that target trans people and non-binary people – has been hacked. According to site owner Josh Moon, whose administrator account was accessed, all users should “assume your password for the Kiwi Farms has been stolen”, “assume your email has been leaked”, as well as “any IP you've used on your Kiwi Farms account in the last month”.
Revolut Data Breach: Revolut has suffered a cyberattack that facilitated an unauthorized third party accessing personal information pertaining to tens of thousands of the app's clients. 50,150 customers have reportedly been impacted. The State Data Protection Inspectorate in Lithuania, where Revolut holds a banking license, said that email addresses, full names, postal addresses, phone numbers, limited payment card data, and account data were likely exposed.
September 18
Rockstar Data Breach: Games company Rockstar, the developer responsible for the Grand Theft Auto series, was victim of a hack which saw footage of its unreleased Grand Theft Auto VI game leaked by the hacker. In addition, the hacker also claims to have the game's source code, and is purportedly trying to sell it. The breach is thought to have been caused through social engineering, with the hacker gaining access to an employee's Slack account. The hacker also claims to be responsible for the Uber attack earlier in the month.
In a statement, Rockstar said: “We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto.”
September 15
Uber Data Breach: Uber's computer network has been breached, with several engineering and comms systems taken offline as the company investigates how the hack took place. Dubbed a “total compromise” by one researcher, email, cloud storage, and code repositories have already been sent to security firms and The New York Times by the perpetrator.
Uber employees found out their systems had been breached after the hacker broke into a staff member's slack account and sent out messages confirming they'd successfully compromised their network.
September 14
Fishpig Data breach: Ecommerce software developer Fishpig, which over 200,000 websites currently use, has informed customers that a distribution server breach has allowed threat actors to backdoor a number of customer systems. “We are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system” lead developer Ben Tideswell said of the incident.
September 7
North Face Data Breach: roughly 200,000 North Face accounts have been compromised in a credential stuffing attack on the company's website. These accounts included full names purchase histories, billing addresses, shipping addresses, phone numbers, account holders' genders, and XPLR Pass reward records. No credit card information is stored on site. All account passwords have been reset, and account holders have been advised to change their passwords on other sites where they have used the same password credentials.
September 6
IHG/Holiday Inn Data Breach: IHG released a statement saying they became aware of “unauthorized access” to its systems. The company is assessing the “nature, extent and impact of the incident”, with the full extent of the breach yet to be made clear.
September 3
TikTok Data Breach Rumour: Rumours started circulating that TikTok had been breached after a Twitter user claimed to have stolen the social media site's internal backend source code. However, after inspecting the code, a number of security experts have dubbed the evidence “inconclusive”, including haveibeenpwned.com's Troy Hunt. Users commenting on YCombinator's Hacker News, on the other hand, suggested the data is from some sort of ecommerce application that integrates with TikTok.
Responding to a request for comment from Bloomberg UK, a spokesperson for TikTok said that the company's “security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code.”
September 2
Samsung Data Breach: Samsung announced that they'd fallen victim to a “cybersecurity incident” when an unauthorized party gained access to their systems in July. In August, they learned some personal information was impacted, including names, contact information, demographics, birth dates as well as product registration information. Samsung is contacting everyone whose data was compromised during the breach via email.
August 2022
Nelnet Servicing Data Breach: Personal information pertaining to 2.5 million people who took out student loans with the Oklahoma Student Loan Authority (OSLA) and/or EdFinancial has been exposed after threat actors breached Nelnet Servicing's systems. The systems were compromised in June and the unauthorized party, who remained on the network until late July.
Facebook/Cambridge Analytica Data Breach Settlement: Meta agreed on this date to settle a lawsuit that alleged Facebook illegally shared data pertaining to its users with the UK analysis firm Cambridge Analytica. The data was subsequently used by political campaigns in the UK and US during 2016, a year which saw Donald Trump become president and Britain leave the EU via referendum.
DoorDash Data Breach : “We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected,” DoorDash said in a blog post.
The delivery service went on to explain that “the information accessed by the unauthorized party primarily included [the] name, email address, delivery address and phone number” of a number of DoorDash customers, whilst other customers had their “basic order information and partial payment card information (i.e., the card type and last four digits of the card number)” accessed.
LastPass Breach: The password manager disclosed to its customers that it was compromised by an “unauthorized party”. The company assured customers that this took place in its development environment and that no customer details are at risk. A September update confirmed that LastPass's security measures prevented customer data from being breached, and the company reminded customers that they do not have access to or store users' master passwords.
Plex Data Breach: Client-server media streaming platform Plex is enforcing a password reset on all of its user accounts after “suspicious activity” was detected on one of its databases. Reports suggest that usernames, emails, and encrypted passwords were accessed.
DESFA Data Breach: Greece's largest natural gas distributor confirmed that a ransomware attack caused an IT system outage and some files were accessed. However, a quick response from the organization's IT team – including deactivating online servers – meant that the damage caused by the threat was minimal.
Cisco Data Breach: Multi-national technology conglomerate Cisco confirmed that the Yanluowang ransomware gang had breached its corporate network after the group published data stolen during the breach online. Security experts have suggested the data is not of “great importance or sensitivity”, and that the threat actors may instead be looking for credibility.
Twilio Data Breach: Messaging behemoth Twilio confirmed on this date that data pertaining to 125 customers was accessed by hackers after they tricked company employees into handing over their login credentials by masquerading as IT department workers.
Uber Data Breach Cover-Up: Although this data breach actually took place way back in 2016 and was first revealed in November 2017, it took Uber until July 2022 to finally admit it had covered up an enormous data breach that impacted 57 million users , and even paid $100,000 to the hackers just to ensure it wasn't made public. The case will see Uber's former chief security officer, Joe Sullivan, stand trial for the breach – the first instance of an executive being brought to the dock for charges related to a data breach.
Twitter Data Breach: The first reports that Twitter had suffered a data breach concerning phone numbers and email addresses attached to 5.4 million accounts started to hit the headlines on this date, with the company confirming in August that the breach was indeed genuine. The vulnerability that facilitated the breach was known by Twitter at the turn of the year and had been patched by January 13, 2022, so data theft must have happened within that short window.
Neopets Data Breach: On this date, a hacker going by the alias “TarTaX” put the source code and database for the popular game Neopet’s website up for sale on an online forum. The database contained account information for 69 million users , including names, email addresses, zip codes, genders, and dates of birth.
Cleartrip Data Breach: Travel booking company Cleartrip – which is massively popular in India and majority-owned by Walmart – confirmed its systems had been breached after hackers claimed to have posted its data on an invite-only dark web forum. The full extent of the data captured from the company’s internal servers is unknown.
Infinity Rehab and Avamere Health Services Data Breach: The Department of Health and Human Services was notified by Infinity Rehab that 183,254 patients had had their personal data stolen. At the same time, Avamere Health Services informed the HHS that 197,730 patients had suffered a similar fate. Information stolen included names, addresses, driver’s license information, and more. On August 16, Washington’s MultiCare revealed that 18,165 more patients were affected in the same breach.
Deakin University Data Breach: Australia's Deakin University confirmed on this date that it was the target of a successful cyberattack that saw the personal information of 46,980 students stolen , including recent exam results. Around 10,000 of the university's students received scam text messages shortly after the data breach occurred.
Marriot Data Breach: The Hotel group – which is no stranger to a data breach – confirmed its second high-profile data breach of recent years had taken place in June, after a hacking group tricked an employee and subsequently gained computer access. According to databreaches.net, the group claimed to be in possession 20 GB of data stolen from the BWI Airport Marriott’s server in Maryland. Marriot would be notifying 300-400 individuals regarding the breach.
OpenSea Data Breach: NFT marketplace OpenSea – that lost $1.7 million of NFTs in February to phishers – suffered a data breach after an employee of Customer.io, the company’s email delivery vendor, “misused their employee access to download and share email addresses provided by OpenSea users… with an unauthorized external party”. The company said that anyone with an email account they shared with OpenSea should “assume they are affected”.
Flagstar Bank Data Breach: 1.5 million customers were reportedly affected in a data breach that was first noticed by the company on June 2, 2022. “We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident” a letter from Flagstar bank to affected customers read.
Baptist Medical Center and Resolute Health Hospital Data Breach: The two health organizations – based in San Antonio and New Braunfels respectively – disclosed that a data breach had taken place between March 31 and April 24. Data lifted from its systems by an “unauthorized third party” included the social security numbers, insurance information, and full names of patients.
Choice Health Insurance Data Breach: On this date, Choice Health Insurance started to notify customers of a data breach caused by “human error” after it realized an unauthorized individual was offering to make data belonging to Choice Health available online. This had actually been publicly available since May 2022. The data dump consisted of 600MB of data with 2,141,006 files with labels such as “Agents” and “Contacts”.
Shields Health Care Group Data Breach: It was reported in early June that Massachusetts-based healthcare company Shields was the victim of a data breach that affected 2,000,000 people across the United States. The breach was first discovered on March 28, 2022, and information such as Social Security numbers, Patient IDs, home addresses, and information about medical treatments was stolen. A class action lawsuit was filed against the company shortly after.
Verizon Data Breach: A threat actor got their hands on a database full of names, email addresses, and phone numbers of a large number of Verizon employees in this Verizon data breach. Vice/Motherboard confirmed these numbers were legitimate by ringing the numbers contained in the databases and confirming they currently (or used to) work at Verizon. According to Vice, the hacker was able to infiltrate the system after convincing an employee to give them remote access in a social engineering scam.
Texas Department of Transportation Data Breach: According to databreaches.net, personal records belonging to over 7,000 individuals had been acquired by someone who hacked the Texas Dept. for Transportation.
Alameda Health System Data Breach: Located in Oakland, California, Alameda Health System notified the Department of Health and Human Services that around 90,000 individuals had been affected by a data breach after suspicious activity was detected on some employee email accounts, which was later found to be an unauthorized third party.
National Registration Department of Malaysia Data Breach: A group of hackers claimed to hold the personal details of 22.5 million Malaysians stolen from myIDENTITI API, a database that lets government agencies like the National Registration Department access information about Malaysian citizens. The hackers were looking for $10,000 worth of Bitcoin for the data.
Cost Rican Government: In one of the most high-profile cyberattacks of the year, the Costa Rican government – which was forced to declare a state of emergency – was hacked by the Conti ransomware gang . Conti members breached the government's systems, stole highly valuable data, and demanded $20 million in payment to avoid it being leaked. 90% of this data – amounting to around 670GB of the data – was posted to a leak site on May 20.
SuperVPN, GeckoVPN, and ChatVPN Data Breach: A breach involving a number of widely used VPN companies led to 21 million users having their information leaked on the dark web, Full names, usernames, country names, billing details, email addresses, and randomly generated passwords strings were among the information available. Unfortunately, this is not the first time supposedly privacy-enhancing VPNs have made the headlines for a data breach .
Cash App Data Breach: A Cash App data breach affecting 8.2 million customers was confirmed by parent company Block on April 4, 2022 via a report to the US Securities and Exchange Commission. The breach had actually occurred way back in December 2021, with customer names and brokerage account numbers among the information taken.
Emma Sleep Data Breach: First reported on April 4, customer credit card information was skimmed using a “Magecart attack”. “This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen” an email to customers read.
Apple & Meta Data Breach: According to Bloomberg, in late March, two of the world’s largest tech companies were caught out by hackers pretending to be law enforcement officials. Apple and Meta provided the threat actors with customer addresses, phone numbers, and IP addresses in mid-2021. The hackers had already gained access to police systems to send out fraudulent demands for the data. Some of the hackers were thought to be members of the Lapsus$ hacking group, who reportedly stole the Galaxy source code from Samsung earlier in the month .
US Department of Education Data Breach: It was revealed that 820,000 students in New York had their data stolen in January 2022, with demographic data, academic information, and economic profiles all accessed. Chancellor David Banks blamed software company Illuminate Education for the incident.
Texas Department of Insurance Data Leak: The state agency confirmed on March 24 that it had become aware of a “data security event” in January 2022, which had been ongoing for around three years. “Types of information that may have been accessible”, the TDI said in a statement in March, included “names, addresses, dates of birth, phone numbers, parts or all of Social Security numbers, and information about injuries and workers’ compensation claims. 1.8 million Texans are thought to have been affected.
Morgan Stanley Client Data Breach: US investment bank Morgan Stanley disclosed that a number of clients had their accounts breached in a Vishing (voice phishing) attack in February 2022, in which the attacker claimed to be a representative of the bank in order to breach accounts and initiate payments to their own account. This was, however, not the fault of Morgan Stanley, who confirmed its systems “remained secure”.
February 2022
February 25.
Nvidia Data Breach: Chipmaker Nvidia confirmed in late February that it was investigating a potential cyberattack, which was subsequently confirmed in early March. In the breach, information relating to more than 71,000 employees was leaked. Hacking group Lapsus$ claimed responsibility for the intrusion into Nvidia’s systems.
February 20
Credit Suisse Data Leak: Although this is technically a “data leak”, it was orchestrated by a whistleblower against the company’s wishes and one of the more significant exposures of customer data this year. Information relating to 18,000 Credit Suisse accounts was handed over to German publication Süddeutsche Zeitung, and showed the Swiss company had a number of high-profile criminals on their books. The incident kickstarted a fresh conversation about the immorality of Switzerland's banking secrecy laws.
January 2022
Crypto.com Data Breach: On January 20, 2022, Crypto.com made the headlines after a data breach led to funds being lifted from 483 accounts. Roughly $30 million is thought to have been stolen, despite Crypto.com initially suggesting no customer funds had been lost.
Red Cross Data Breach: In January, it was reported that the data of more than 515,000 “extremely vulnerable” people , some of whom were fleeing from warzones, had been seized by hackers via a complex cyberattack. The data was lifted from at least 60 Red Cross and Red Crescent societies across the globe via a third-party company that the organization uses to store data.
Flexbooker Data Breach: On January 6, 2022, data breach tracking site HaveIBeenPwned.com revealed on Twitter that 3.7 million accounts had been breached in the month prior. Flexbooker only confirmed that customer names, phone numbers, and addresses were stolen, but HaveIBeenPwned.com said “partial credit card data” was also included. Interestingly, 69% of the accounts were already in the website’s database, presumably from previous breaches.
Data Breaches vs Data Leaks vs Cyberattacks
This article largely concerns data breaches. A data breach occurs when a threat actor breaks into (or breaches) a company, organization, or entity’s system and purposefully lifts sensitive, private, and/or personally identifiable data from that system. When this happened, companies are sometimes forced to pay ransoms, or their information is stolen ad posted online. According to one estimate, 5.9 billion accounts were targeted in data breaches last year.
This is different from a data leak , which is when sensitive data is unknowingly exposed to the public/members of the public, such as the Texas Department for Insurance leak mentioned above. The term “data leak” is often used to describe data that could, in theory, have been accessed by people it shouldn't of, or data that fell into the hands of people via non-malicious means. A government employee accidentally sending someone an email with sensitive data is usually described as a leak, rather than a breach.
Although all data breaches fall under the umbrella of a “ cyber attack “, cyber attacks are not limited to data breaches. Some cyber attacks have different motivations – such as slowing a website or service down or causing some other sort of other disruption. Not all cyberattacks lead to the exfiltration of data, but many do.
How Can I Protect My Organization From Cyber-Attacks?
Ensuring you take steps to protect your company from the sorts of cyber attacks that lead to financially fatal data breaches is one of the most crucial things you can do. It's not just businesses that are at risk, however – schools and colleges are some of the most frequently targeted organizations that suffer huge financial losses .
Some companies and organizations – like Lincoln College – have had to shut down due to the fallout costs of a cyberattack. There has never been more of an onus on companies, colleges, and other types of organizations to protect themselves.
Unauthorized access to networks is often facilitated by weak business account credentials. So, whilst passwords are still in use , the best thing you can do is get your hands on a password manager for yourself and the rest of your staff team. This will allow you to create robust passwords that are sufficiently long and different for every account you hold. However, you'll also need to use additional security measures, like 2-Factor Authentication, wherever possible, to create a second line of defense.
Another thing you must do is ensure your staff has sufficient training to spot suspicious emails and phishing campaigns. 70% of cyberattacks target business email accounts, so having staff that can recognize danger when it's present is just as important as any software.
We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at [email protected]
- Business Trends
- Privacy and Security
Written by:
Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol five years ago. As a writer, Aaron takes a special interest in VPNs, cybersecurity, and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and Politics.co.uk covering a wide range of topics.
Tech to Replace Hundreds of Jobs in Global Citigroup Layoffs
CEO says the bank is investing in 'transformation' and...
White House: Burden of Cybersecurity Should Be on Providers
"Responsibility must be placed on the stakeholders most...
Twitter Layoffs: “Hardcore Musk Loyalists” Axed in Surprise Cull
Around one-tenth of Twitter's already-shrunken workforce...
The Latest Victims of Tech Layoffs? Ransomware Hackers
Ransomware groups are downsizing this year after a decline...
Uber investigating cybersecurity incident after hacker breaches its internal network
Uber confirmed on Thursday that it’s responding to a cybersecurity incident after reports claimed a hacker had breached its internal network.
The ride-hailing giant discovered the breach on Thursday and has taken several of its internal communications and engineering systems offline while it investigates the incident, according to a report by The New York Times , which broke news of the breach.
Uber said in a statement given to TechCrunch that it’s investigating a cybersecurity incident and is in contact with law enforcement officials, but declined to answer additional questions.
The sole hacker behind the beach, who claims to be 18 years old, told the Times that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems. This has become a popular tactic in recent attacks against well-known companies, including Twilio , Mailchimp and Okta .
Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach,” the Times reports. The hacker also reportedly said that Uber drivers should receive higher pay.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available. — Uber Comms (@Uber_Comms) September 16, 2022
According to Kevin Reed, CISO at cybersecurity company Acronis, the attacker found high-privileged credentials on a network file share and used them to access everything, including production systems, Uber’s Slack management interface and the company’s endpoint detection and response (EDR) portal.
“If you had your data in Uber, there’s a high chance so many people have access to it,” Reed said in a LinkedIn post, noting that it’s not yet clear how the attacker bypassed two-factor authentication ( 2FA ) after obtaining the employee’s password.
The attacker is also believed to have gained administrative access to Uber’s cloud services, including on Amazon Web Services (AWS) and Google Cloud (GCP), where Uber stores its source code and customer data, as well as the company’s HackerOne bug bounty program.
Sam Curry, a security engineer at Yuga Labs who described the breach as a “complete compromise,” said that the threat actor likely had access to all of the company’s vulnerability reports, which means they may have had access to vulnerabilities that have not been fixed. HackerOne has since disabled the Uber bug bounty program.
In a statement given to TechCrunch, Chris Evans, HackerOne CISO and chief hacking officer, said the company “is in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.”
This is not the first time that Uber has been compromised. In 2016, hackers stole information from 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete the data. Uber made the payment to the hackers but kept the news of the breach quiet for more than a year.
If you know more about the Uber breach, you can contact this author via Signal at +44 1536 853968.
- UpGuard BreachSight
- UpGuard Vendor Risk
Product Features
Vendor risk assessments, security questionnaires.
- Security Ratings
Data Leak Detection
- Integrations
- Financial Services
eBooks, Reports, & more
What caused the uber data breach in 2022.
Edward Kost
The Uber data breach began with a hacker purchasing stolen credentials belonging to an Uber employee from a dark web marketplace. An initial attempt to connect to Uber’s network with these credentials failed because the account was protected with MFA. To overcome this security obstacle, the hacker contacted the Uber employee via What’s App and, while pretending to be a member of Uber’s security, asked the employee to approve the MFA notifications being sent to their phone. The hacker then sent a flood of MFA notifications to the employee’s phone to pressure them into succumbing to this request. To finally put an end to this notification storm, the Uber employee approved an MFA request, granting the hacker network access, which ultimately led to the data breach.
After completing the attack, the hacker compromised an Uber employee’s Slack account and announced the successful breach to the entire company.
This isn’t the first time Uber has been hacked. In 2016, two hackers breached Uber’s systems , accessing names, email addresses, and phone numbers of 57 million users of the Uber app.
What Data Did the Hacker Access?
After successfully connecting to Uber’s intranet, the hacker gained access to the company’s VPN and discovered Microsoft Powershell scripts containing the login credentials of an admin user in Thycotic - the company’s Privileged Access Management (PAM) solution . This discovery significantly increased the severity of the breach by facilitating full admin access to all of Uber’s sensitive services, including DA, DUO, Onelogin, Amazon Web Services (AWS), and GSuite.
The hacker also allegedly accessed Uber’s bug bounty reports which usually contain details of security vulnerabilities yet to be remediated.
The 18-year-old hacker, believed to be associated with the cybercriminal group, Lapsus$, revealed the details of the attack in a conversation with cybersecurity researcher Corben Leo .
Was any Sensitive User Data Stolen During the Uber Breach?
Despite the deep level of compromise the hacker achieved, no evidence of customer data theft has been announced. This is likely because the hacker wasn’t intent on causing harm but was, rather, chasing the thrill of a successful cyberattack and the hacker community respect that comes with it.
Had the hacker been motivated by financial gain, he would have likely sold Uber’s bug bounty reports on a dark web marketplace. Given the devastating data breach impact that’s possible with the findings of a bug bounty program, it would have sold for a very high price.
To say that Uber is lucky this hacker wasn’t an actual cybercriminal is a significant understatement. The company came so close to a complete system shutdown. From a cybersecurity perspective, it seems almost unbelievable that after taking complete control of Uber’s systems, the hacker just dropped everything and walked away. Without any security obstacles left to overcome, it would have been so easy to tie off the breach with a quick installation of ransomware.
Given Uber’s poor reputation for handling extorsion attempts, thankfully, this didn’t happen. When Uber was breached in 2016, the company paid the cybercriminals their $100,000 ransom in exchange for deleting their copy of the stolen data. Then, in an attempt to conceal the event, the company forced the hackers to sign a non-disclosure agreement and made it appear like the ransom payment was an innocuous reward within the company’s bug bounty program.
4 Key Lesson From the Uber Data Breach
Several critical cybersecurity lessons can be learned from the Uber data breach. By applying them to your cybersecurity efforts, you could potentially avoid suffering a similar fate.
1. Implement Cyber Awareness Training
The fact that the Uber employee eventually gave into the flood of MFA requests in the initial stage of the attack is evidence of poor awareness of a common MFA exploitation tactic known as MFA Fatigue. Had the Uber employee been aware of this tactic, they would have likely reported the threat rather than falling victim to it, which would have prevented the breach from happening. The hacker also utilized social engineering techniques to fool the Uber employee into thinking they were a member of Uber’s security team, which is another common cyberattack tactic.
Implementing cyber awareness training will equip your staff to recognize the common cyberattack methods that made this breach possible - MFA fatigue and social engineering.
The following free resources can be used to educate your employees about common cyber threats and the importance of cybersecurity:
- What is Phishing?
- What is Ransomware-as-a-Service?
- What is Malware?
- What is a Cyber Threat?
- Why is Cybersecurity Important?
- What is a Data Breach?
2. Be Aware of Common MFA Exploitation Methods
Not all Multi-Factor Authentication protocols are equal. Some are more vulnerable to compromise than others. Your cybersecurity teams should compare your current MFA processes against common exploit tactics and, if required, upgrade the complexity of authentication protocols to mitigate exploitation.
Learn about common MFA bypass methods >
3. Never Hardcode Admin Login Credentials Anywhere (Ever)
Probably the most embarrassing cybersecurity blunder in this incident is the hardcoding of admin credentials inside a Powershell script. This meant that the potential of an unauthorized user accessing uber’s sensitive systems was always there - all that was required was for someone to read the Powershell script and discover admin credentials contained therein.
This security flaw would have been avoided if secure coding practices had been followed. Admin credentials should always be stored securely in a password vault and certainly never hardcoded anywhere.
4. Implement a Data Leak Detection Service
If the Uber hacker had more malicious intentions, customer data woud have been stolen, published on the dark web, and accessed multiple times by cybercriminals before Uber even realized it was breached. It’s crucial for organizations to have a safety net in place for detecting dark web data leaks from undetected data breaches, from both first-hand and third-party attacks.
A data leak detection service notifies impacted businesses when sensitive data leaks are detected on the dark web so that cybersecurity teams can secure compromised accounts before they’re targeted in follow up attacks.
Learn how data leak detection can reduce the impact of ransomware attacks.
See how your organization's security posture compares to Uber's.
View Uber's security report .
Learn about other Famous Data Breaches:
- What Caused the Optus Data Breach?
- What Caused the Medicare Data Breach?
- How did LAUSD Get Hacked?
- How did Plex Get Hacked?
- How did Cash App Get Hacked?
Reviewed by
Kaushik Sen
Ready to see upguard in action, join 27,000+ cybersecurity newsletter subscribers, related posts, 9 ways to prevent third-party data breaches in 2023.
The 68 Biggest Data Breaches (Updated for November 2022)
What are cloud leaks, what is a supply chain attack examples & prevention strategies, zero trust as a defence against supply chain attacks, privileged access management vs. supply chain attacks in 2023.
- Product Tour
- Release notes
- SecurityScorecard
- All comparisons
- Security Reports
- Instant Security Score
- Hire Kevin to Speak
- Virtual Events
- Speaking Topics
- Speakers Bureaus
- Penetration Testing
- Internal Network Penetration Testing
- Incident Response
- Computer Forensics
- Expert Witness Services
- Security Awareness Training
- Vulnerability Assessment
- Product Claims testing
- Red Team Operations
- Social Engineering Strength Testing
- The Art of Invisibility
- Ghost in the Wires
- The Art of Intrusion
- The Art of Deception
- About Kevin
- Global Ghost Team
- Our Clients
- Testimonials & Reviews
- Press Archives
- Lockpick Business Card
- Submit a Proposal
- Join the Team
Cyber Security Articles & News
Uber Data Breach: What To Know About the 2022 Cybersecurity Attack
No matter how robust network security is, even the biggest companies fall victim to cyber attacks. These malicious attacks can be costly — to the tune of 4.3 million on average — but they also disrupt operations and hurt a company’s reputation.
In fact, it is anticipated that cybercrime will cost the world $10.5 trillion annually by 2025. A recent breach at Uber reminds us of how social engineering attacks are on the rise and urges us to protect and train our employees to prevent such detrimental attacks. Below, we’ll dissect the Uber data breach and what you can do to avoid facing a similar devastating situation.
So, What Happened at Uber?
On September 15, 2022, Uber employees were surprised to find an unauthorized user posting in their company’s slack channel. They had hacked their way into the account and left a message that read, “I announce I am a hacker and Uber has suffered a data breach.” Uber employees, who did not reveal their identities, admitted that it appeared as if the hacker breached multiple internal applications and accessed sensitive data.
Although the suspected hacker, who is allegedly only 18 years old, has been arrested , the damage was done. The hacker had left an explicit image within Uber’s internal systems and exposed how they had hacked the company using social engineering . Uber is now having to launch their own internal investigation into the incident, and will more than likely have to enact a costly remediation plan.
How Did the Hacker Gain Access to Uber’s Internal Systems?
The Uber cybersecurity protocols would have probably been enough to prevent the data breach — if it weren’t for the use of social engineering. The hacker admitted on Twitter that they gained access to the company’s internal VPN by tricking an employee into handing it over. The hacker claimed they were a corporate information technology expert and needed the password. The threat actor also had access to credentials that allowed them to breach Uber’s AWS and G Suite accounts.
Social engineering — or the practice of using human emotion to get the victim to perform an action or give the threat actor needed information — is not uncommon in the cybersecurity world. In fact, many experts agree that untrained employees are your biggest area of vulnerability. The threat actor responsible for the Uber data breach has also claimed to have used social engineering when launching an attack against Rockstar Games .
Protect Your Company Against Incidents Like the Uber Data Breach
Stay up to date with the latest social engineering techniques.
Although direct messaging and calling are popular social engineering techniques, it’s expected that the cybercrime trend of impersonating well-known companies through email phishing scams will continue to grow this year. To protect your organization, be aware of these trends and speak with a cybersecurity consultant if you feel your organization is vulnerable.
Test Your Network Vulnerabilities Regularly
Unfortunately, social engineering isn’t going away — which means you need to know if there are vulnerabilities within your network that can make a social engineering attack even more disastrous. For example, a threat actor who has gained access to your internal network with stolen login credentials may be able to move laterally within your organization’s internal framework and escalate their privileges with help from unpatched applications or outdated technologies.
Routine vulnerability assessments performed quarterly can help your organization’s private data stay private. An expert assessment can help identify false positives from vulnerability scans and provide a report with more information. An assessment report may include discovered vulnerabilities, a walkthrough of what was done, and research and solutions to better protect your organization.
Continuously Train Your Employees To Recognize Attacks
Uber was hacked in 2022 because an employee did not recognize that they were a victim of social engineering. Cybersecurity awareness training can arm employees with valuable information so that they know what to do when suspicious activity occurs at work. Engaging learning tools such as training videos and live hack demonstrations can not only get your team up to speed, but can help motivate them to stay vigilant.
Kevin Mitnick Security Awareness Training
Aside from learning the details about cyberattacks like the Uber data breach, security awareness training for your employees can help keep you one step ahead of social engineers.
Train your team when and where it’s convenient, with the world's largest security awareness training content library. Begin strengthening your organization’s security posture by exploring the Security Awareness Training Library by Mitnick Security.
Topics: Social Engineering
Latest Posts
Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”
Pros and Cons of Manual vs Automated Penetration Testing
Although threat actors are constantly utilizing new tradecraft and tools to pose a real threat against organizations, cybersecurity experts — includin..
Cyber Security Risks of Remote Employee Offboarding
Remote work options are popular trends that provide flexibility for the employee and potentially a less expensive option for the employer. However, re..
5 Examples of Top Social Engineering Attacks
There’s something both humbling and terrifying about watching industry giants like Twitter and Uber fall victim to cyber attacks.
© Copyright 2004 - 2023 Mitnick Security Consulting LLC. All rights Reserved. | Privacy Policy
Gartner mentioned Appknox as a notable vendor in “How to Select DevSecOps Tools for Secure Software Delivery” report - Read more
- Static Application Security Testing
- Dynamic Application Security Testing
- API Security Testing
- Manual Application Security Testing
- Remediation Call
- Cyber Security Jargons
- Security Research
- Infographics
- Whitepapers
- Case Studies
Uber Data Breach 2022: What You Need to Know
The world of digital security has been under the spotlight for various reasons in the last year. Several high-profile incidents have directly impacted the general public, from cyber attacks to privacy scandals.
Uber is the latest company to be caught up in this whirlwind after hackers managed to breach their security and steal sensitive user data from the ride-hailing service.
This article provides an overview of what happened, what went wrong, and what you can do to keep your accounts safe.
What Caused Uber Data Breach in Security?
On September 15, Uber announced the news of its system breach. Through social engineering, the hacker compromised an employee’s Slack account.
During the uber cyber attack , the hacker persuaded the employee to hand over a critical password that allowed them access to Uber’s systems.
The screenshots the hacker shared with security researchers suggest that this person gained complete access to the cloud-based systems where Uber stores sensitive customer and financial information.
One of the company employees (who wished to stay anonymous) resource page is said to have had an unsafe work image posted by the hacker.
Some noteworthy points include the following:
- First, they failed to monitor login attempts properly. Uber doesn’t receive notifications if third-party tries to log into a business account but fails to enter the network. These failed entry attempts don’t trigger Uber’s security system networks, which shows an apparent lag in the system.
- Second, Uber failed to restrict the available data to third-party apps. Such easy availability allows hackers to access sensitive information from other linked third-party apps.
- Thirdly, there is a possibility this attack was a result of phishing. In phishing, hackers pose as a trustworthy person or entity to gain access to sensitive information. This breach is notable as there have been multiple breaches in Uber’s history. Such multiple violations are unusual, as most breaches only happen once or twice.
How Was Uber’s Security Breached?
An attempt was made by the hacker to socially engineer Uber workers, which resulted in access to a VPN and the company’s internal network.
Allegedly, an 18-year-old hacker is responsible for stealing data from Uber . However, last week, Uber shared more details about the attack, which notably pinned the threat actor’s affiliation to the notorious LAPSUS$ hacking group.
Uber’s system vulnerability came to the fore when its native Privileged Access Management (PAM) platform admin credentials were compromised.
Privileged Access Management is a collection of tools and technologies that protects, restricts, and monitors employee access to a company’s vital data and resources.
Once a hacker enters the network, they get access to PowerShell scripts, which include the domain admin’s account login information in a hard-coded form.
During the recent breach, the hijacker gained full administrative access to the company’s AWS, vSphere domain, Duo, G Suite, OneLogin, VMware, and other accounts. They even obtained Uber’s source code; screenshots were provided as evidence.
Since there were no ransom or extortion notes, researchers believe that the hacker performed the engineering attack only for cheap thrills.
Predefined parameters in a PowerShell script are a significant weakness that gives the attacker such extensive access. These login credentials granted administrator access to Thycotic, a PAM system.
This tool carries a lot of privileges for the company’s users. It holds both end-user keys for personnel access to internal resources and third-party programs.
Additionally, it includes DevOps insights used commonly during software development, making it a single failure point.
The PAM system manages access to several systems. As a result, the attacker had full access to all of Uber’s core systems.
Who Was Affected by Uber Cybersecurity Attack?
Although the hackers only gained access to some information from Uber’s users, they still managed to breach their security. The breach means the hackers found a way to infiltrate their system and enter other accounts.
It’s possible the hackers also gained access to sensitive information from other apps tracking users. Therefore, hackers likely gained access to information such as addresses, email addresses, and license numbers ( although no evidence proves it yet ).
Such information might include unwarranted access to users’ bank accounts while receiving Social Security benefits in someone else’s name and even driving cars without being detected.
Some people have questioned Uber’s response to the data breach in light of how they had previously failed to disclose the 2016 breach that cost them $148 million in legal penalties.
Additionally, it’s also been reported that the company didn’t immediately notify everyone affected by the breach, which is unusual. Some people may have been left unaware that their information has been breached.
Unlike Uber's Cyber attack and data breach , if you wish to not happen to your company then, keep yourself updated in the world of cybersecurity with Appknox's cyber security jargon and take some knowledge.
Uber data breach
Gartner and G2 recommends Appknox | See how we can help you with a free Demo!
DISCOVER MORE
March 2, 2023
How to Identify And Prevent ARP Poisoning or Spoofing Attacks
February 15, 2023
The ION Ransomware Crisis: A Wake-Up Call for Organizations
February 10, 2023
Ultimate Security Checklist to Launch a Mobile App in UAE - iOS & Android
Similar blogs.
Top 10 Biggest Data Breaches in the 21st Century
A data breach is defined as the unauthorized access to sensitive information about a person – whether it's their ...
Hackers Demanding Money - Uber Is Not The Only One Paying Them
The big news in the security space in the last couple of days is Uber revealing that they got hacked last year. ...
Top 10 Data Breaches of 2022 (So Far...)
As we are in the midst of the October Cybersecurity Awareness Month of 2022, all of us need to be more cautious than ...
Using Other Product?
2 Weeks Free Trial!
Appknox is the worlds most powerful plug and play security platform which helps Developers, Security Researchers and Enterprises to build a safe and secure mobile ecosystem using a system plus human approach to outsmart smartest hackers.
Subscribe to our newsletter
- Start free trial
- Book a Demo
- Switch to Appknox
- Partner with Appknox
- Privacy Policy
- Static application security
- Dynamic application security
- Manual Penetration Testing
- Remediation call
- Case studies
Copyright © 2023 Appknox, Xysec Labs
Video Case Study: The 2022 Uber Breach - An MFA Fatigue Attack
Related Resources
Video case study: the 2022 uber breach – an mfa fatigue attack, video case study: cybersecurity monitoring could prevent a ransomware attack, video case study: phishing attack nets $160k, cybersecurity break: ransomware response tips.
CUSTOMER SERVICE +1 855 LMG 8855 x2
JOIN OUR CYBER ALERT & NEWS LIST
Uber investigating 'cybersecurity incident' after report of breach
- Uber Technologies Inc Follow
- Salesforce Inc Follow
Sept 16 (Reuters) - Uber Technologies Inc (UBER.N) said it was investigating a cybersecurity incident after a report of a network breach that forced the company to shut several internal communications and engineering systems.
On Friday, Uber said it had no evidence that the incident involved access to sensitive user data such as trip histories and that internal software tools that the company had taken after the hack were coming back online.
Uber began investigating the cybersecurity incident on Thursday.
A hacker compromised an employee's account on workplace messaging app Slack and used it to send a message to Uber employees announcing that the company had suffered a data breach, according to a New York Times report on Thursday that cited an Uber spokesperson.
Cybersecurity has been an issue for Uber in the past. It suffered a significant hack in 2016 that exposed the personal information of about 57 million of its customers and drivers. read more
Latest Updates
- Technology category Volkswagen's Scout to build $2 bln plant in South Carolina , article with gallery Gallery
- Circular Economy category Mercedes-Benz begins building battery recycling factory in southern Germany , article with gallery Gallery
View 2 more stories
Shares of the ride-hailing firm were down nearly 4% on Friday amid broader U.S. market declines.
It appeared the hacker was able to gain access to other internal systems, posting an explicit photo on an internal information page for employees, the Times report added.
"We are in touch with law enforcement and will post additional updates here as they become available," Uber said in a tweet , without providing further details.
The hacker has claimed they have gained access to security vulnerability information produced by HackerOne for Uber. Such confidential information could be used for further breaches at the company.
HackerOne said they are "in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation," according to Chris Evans, HackerOne's chief hacking officer.
Security researcher Bill Demirkapi said screenshots circulating online did seem to corroborate the hacker or hackers boast that they had access to Uber's internal systems.
"This story is still developing and these are some extreme claims, but there does appear to be evidence to support it," he said in a message posted to Twitter.
Uber employees were instructed to not use Salesforce Inc -owned office messaging app Slack, according to the NYT report.
"I announce I am a hacker and Uber has suffered a data breach," the message read, and went on to list several internal databases that were allegedly compromised, the report added.
A person assumed responsibility for the hack and told the paper he had sent a text message to an Uber employee claiming to be a corporate IT person.
The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber's systems, the report said.
Uber Chief Executive Officer Dara Khosrowshahi, who took charge a year after the 2016 hack, fired the then chief security officer, who was later charged with trying to cover up the breach.
Our Standards: The Thomson Reuters Trust Principles.
- Charged category Tesla recalls 3,470 Model Y vehicles over loose bolts , article with image 3:45 AM UTC
- Technology category Mexico can't match U.S. incentives for proposed Tesla battery plant, minister says , article with image March 4, 2023
- Charged category Rivian stands by 2023 production target despite media report , article with image March 3, 2023
- Worker Rights category Nissan and Mexican workers agree to 9% raise at Morelos plant, union says , article with image March 3, 2023
Indonesian officials called for an investigation and an audit of state energy company Pertamina's (PERTM.UL) facilities after a fire at its storage facility killed 15.
- Gallery Aerospace & Defense category Boeing denies CEO Calhoun $7 million bonus due to 777X delays , article with gallery March 3, 2023
- Regulatory Oversight category U.S. CDC issues advisory after confirmed measles case in Kentucky , article with image March 4, 2023
- World at Work category American Airlines, flight attendants union seek mediation in contract negotiations , article with image March 3, 2023
- Exploration & Production category Equinor's Hammerfest LNG plant suffers gas leak, production unaffected , article with image March 3, 2023
Uber Breach 2022: Detect the Destructive Cyber-Attack Causing the Complete Organization’s System Takeover
- Recent Posts
- CVE-2022-35405 Detection: CISA Warns of Adversaries Leveraging ManageEngine RCE Flaw - 23.09.2022
- Shikitega Malware Detection: Executes Multistage Infection Chain, Grants Full Control - 21.09.2022
- TeamTNT Hijacking Servers:Criminal Gang Specializing in Attacking Cloud Environments is Back - 20.09.2022
On September 15, Uber officially confirmed an attack resulting in an organization-wide cybersecurity breach. According to the security investigation, the organization’s system was severely hacked, with attackers moving laterally to gain access to the company’s critical infrastructure. The cybersecurity incident was brought to the limelight after a young hacker, who claimed to have breached Uber’s systems, shared vulnerability reports and screenshots of the organization’s critical assets, including an email dashboard and the Slack server. This sensitive information was publicly disclosed on the bug bounty platform HackerOne.
The HackerOne vulnerability reports confirm that the adversary breached the system’s internal network, impacting the Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard.
Detect Uber Breach 2022-Related Malicious Activity
Sigma rules developed by SOC Prime developers help security professionals to ensure that their system can withstand attacks involving MFA-related failures.
Okta Possible MFA/2FA Flooding/Spamming/Phishing (via user_auth)
Azure Possible MFA/2FA Flooding/Spamming/Phishing (via azuread)
The detection content pieces above are aligned with the MITRE ATT&CK® framework . Security practitioners can easily switch between multiple SIEM, EDR, and XDR formats to get the rule source code applicable to 26 security solutions.
SOC Prime’s Detection as Code platform curates a set of Sigma rules to identify the malicious behavior related to this latest Uber breach. Click the Explore Detections button below to instantly reach dedicated detections and dive into relevant cyber threat context without registration directly from the Cyber Threats Search Engine.
Explore Detections
Uber Breach 2022 Analysis
Based on news reports regarding the breach of Uber’s systems, the attacker manipulated one of the company’s employees into sharing their password, which allowed for the initial access of the target. The criminal hacker then proceeded with launching MFA fatigue attacks and compromising a worker’s Slack account to send out a message announcing to other employees that their company had suffered a data breach. In response, Uber has restricted access to Slack for internal communication. Among other compromised services are Google Cloud Platform, OneLogin, SentinelOne incident response portal, and AWS.
Several security researchers have already claimed the breach to be a “total security compromise” that might also result in the attacker posting the company’s source code online despite the tech giant’s representatives trying to “put out the fire” that started across media channels. The San Francisco-based ride-hailing company’s stance on the matter is different from the narrative voiced by non-Uber security analysts, mainly claiming that there is no evidence suggesting that the threat actor accessed sensitive data.
Prior to the incident, logs gathered from infostealers were put up for sale in the underground market. The infostealers that were used in these attacks against Uber employees were Raccoon and Vidar . The evidence suggests that the attacker used the acquired data to move laterally inside Uber’s network.
The motives of the threat actor are yet to be revealed, but his message shared in a channel on Uber’s Slack includes a demand for better pay for drivers. Uber representatives have not released any more updates publicly, claiming that the incident is currently under investigation.
Social engineering techniques are on the rise. This attack only mirrors the recent trend toward criminal hackers’ accumulating more sophisticated approaches to leveraging the human factor in their attacks. Drastic times call for drastic measures! Join forces with SOC Prime to enhance your threat detection capabilities and security posture with the power of a global community of cybersecurity experts. You can also enrich the collaborative expertise by contributing to SOC Prime’s crowdsourcing initiative . Develop and submit your Sigma and YARA rules, get them published to a platform, and receive recurring rewards for your input.
Was this article helpful?
Related posts.
Call with SOC Prime
Cookie settings.
- United States
- United Kingdom
- D&O insurance not yet a priority despite criminal trial of Uber’s former CISO
- RELATED STORIES
- 6 missteps that could cost CISOs their jobs
- SPONSORED BY Advertiser Name Here Sponsored item title goes here as designed
- Uber breach case a ‘watershed moment’ for CISOs’ liability risk
- Bug bounty platforms buy researcher silence, violate labor laws, critics say
By Carter Schoenberg , Contributor, CSO |
Uber data breach – an insurance case study for directors and officers
When we evaluate the merits of what actually took place, we will see an interesting scenario develop that could directly impact uber’s board of directors..
On November 21, 2017, Uber announced that the personal data of 57 million users were stolen in a breach, including 600,000 drivers in the United States. Reuters just reported that “ Uber received an email last year from an anonymous person demanding money in exchange for user data and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter. ”
When we evaluate the merits of what actually took place, we will see an interesting scenario develop that could directly impact Uber’s board of directors. So, let us first examine how this breach compares with others. In Figure 1. We see that the raw number of records disseminated is low when we compare against other major breaches. However, how many of the other breaches exposed both client and employee data?
According to Uber, the demand for money came in and they forwarded the demand to the team that handles bug bounties (a type of contest many large firms employ to help ensure their cyber risk mitigation strategies are up to par by challenging the hacker community to try and identify a weakness that would garner a cash award – in this case up to $10,000).
The first problem with this theory the underwriters need to consider is that this is not how a bug bounty program “should” work. The intent is to identify a material weakness, proven with a proof of concept, and then get paid. If you take your activities to the next level – and actually “steal” information – not only does that violate the law, it generally null and voids the terms and conditions set forth by the bug bounty program itself. But Uber’s program has no such language. Here’s what language is present:
Exposure of User Data: the ability to access user or employee data without having an authorized relationship from the Victim. In-scope vulnerability class examples: AWS Identity & Access Management credential exposure resulting in access to driver documents in an S3 bucket. Adding a user to a Partner’s account, without them accepting the invite, resulting in exposure of name, phone number, and trip history. Password reset token exposure, allowing attacker the ability to reset password of victim and login to view sensitive user data. IDOR/authorization vulnerabilities resulting in exposure of personal data. Out-of-scope vulnerability class examples: The ability to determine if a phone number or email has an Uber account, also known as an account oracle. Potential domains to look at: auth.uber.com, partners.uber.com, riders.uber.com, eats.uber.com
There does not appear to me a scenario either in or out of scope that would be consistent with what Uber alleges took place. The ability to access is not the same thing as “exfiltration.” Even if this is the case, the dollar threshold is exceeded by 10x. So, something is not right here. Was this simply a tactic to downplay the event?
Was this a simple oversight by Uber’s staff when they received the demand? Was there a corporate policy in place to define what to do in the face of a ransom? Perhaps a subsection of their Incident Response Plan?
If we do some quick math using the infamous IBM and Ponemon statistics, the cost per record is $141.00 each. If we use that metric, we look at over $8 Billion in potential loss. Do I believe that it will cost them this amount, not likely.
Reading “ Executive Liability for Data Breach Notification Delay? “ by Kevin LaCroix made me think of the potential financial implications to underwriting this cyber event and its linkage with Directors and Officers lines of coverage.
Uber has a fairly new CEO who was not present at the time of the breach as well as a new general counsel, Tony Scott, who was recently quoted as saying:
“I’m not the first to recognize that the company over-indexed on growth without putting in the appropriate guardrails,” he said in an interview Friday. “Fostering a culture of compliance is going to be one of my top priorities.”
Any company with excessive growth can find it hard to scale in areas that generally go unchecked by most businesses. Such as at what point do I hire a CISO, at what point do I hire additional staff with the following skill sets based on gaps that exist today. Does this constitute willful or intentional wrongdoing, a negating factor for D&O coverage? In my opinion, no.
However, what was known by Uber and when? Also failing to abide by 48 State Regulatory Agencies (47 at the time of the breach), becomes the discerning factor (or should be) by the insurance carrier(s).
If Uber submits a claim for damages incurred by the theft of data, are they entitled to do so under a cyber policy? Depends on the following:
- Was the policy written in a manner that imposes limits of liability when state laws applicable to data breach notification are not met?
- Is a future claim of damages negated if you fail to use the carrier’s post-breach service providers?
- Was the insurance application constructed in a manner that took into account the use of a third party, in this case GitHub, and what was Uber’s inherent obligations to protect sensitive software development?
- Did the underwriters, brokers, or agents even assess the bug bounty program for assertion of potential exclusionary provisions?
Now comes the interesting part. Since we are a litigious society and there is always an attorney to champion a good cyber breach case, there exists a chance that Board Members could be subject to being swept into this debacle. Are there factors under a D&O policy that could convert over to negating the cyber policy?
According to Mackoul and Associates there are 10 scenarios that void a D&O claim. I draw your attention to the first line item “Breach of Contract”. The reason for this is that a contractual duty is not a liability imposed by law but rather a voluntarily undertaken obligation. Failure to comply with a signed contract would fall under willful or intentional wrongdoing and would not be covered.
There may exist a claim of breaching the contract by the 600,000 employees. If you go to Uber’s privacy site , you will see how they define their own policy.
For a number of years, the Federal Trade Commission has levied sanctions against companies for either misrepresenting or not adhering to stated privacy policies on corporate websites as an unfair and deceptive business practice.
While this case is still under investigation and more information is sure to surface, can the mere fact that Uber willfully did not advise each State Attorney General as basis for breaching a contract between employer and employee if the employer had a lawful duty to disclose? If the answer is “yes” then this factor alone could negate any top cover a D&O policy may provide
Furthermore, as described by Mackoul, under the header of “Willful or Intentional Wrongdoing”
“A board may still be able to recover a fine resulting from intentional conduct if it can prove that it was only vicariously liable for misconduct but willful or intentional wrongdoing is normally not covered by D&O policies.”
Was this incident made aware to the board prior to public disclosure? If yes, what actions did they take to ensure State laws were met? If they did nothing and failed to meet the standard of care, does that constitute willful or intentional wrongdoing? Did they even know about these requirements and if not, is ignorance of the law an excuse to vacate a guilty decision from being rendered? Short answer after over 1,000 hours in a courtroom, “no.”
- Data and Information Security
- Technology Industry
Carter Schoenberg is the President and Chief Executive Officer of HEMISPHERE Cyber Risk Management, Inc. Mr. Schoenberg is a certified information system security professional with over 23 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, risk management and cyber law.
Copyright © 2017 IDG Communications, Inc.
- Writing for CCI
- NEW: CCI Press – Book Publishing
- Advertise With Us
- See All Articles
- Internal Audit
- HR Compliance
- Cybersecurity
- Data Privacy
- Financial Services
- Well-Being at Work
- Leadership and Career
- Vendor News
- Career Connection
- Submit an Event
- Whitepapers & Reports
- CCI Press & Compliance Bookshelf
Executive Responsibilities and Consequences: A Case Study of Uber’s Data Breaches
Individuals potentially face criminal charges for failing to disclose a data breach.
Organizations at risk of a data breach (that’s every organization, by the way) can learn something from Uber’s data privacy missteps. Squire Patton Boggs attorneys Colin Jennings, Ericka Johnson and Dylan Yépez offer key takeaways from the company’s high-profile data breaches.
On August 19, 2020, the former Chief Security Officer (CSO) for Uber Technologies Inc. (Uber) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million riders and drivers. Although an extreme case, it is a good reminder for companies and executives to take data breach disclosure obligations seriously.
The criminal complaint, filed in the U.S. District Court for the Northern District of California (“the Complaint”), appears to claim that Uber, through its former CSO, Joseph Sullivan, should have reported the 2016 data breach to federal investigators. But a business’s duty to disclose a data breach is not always clear, and there are often a myriad of laws, regulatory practices and consumer expectations when navigating a breach. Using Uber’s 2016 breach as a case study, company executives must be aware of and recognize the business and personal consequences associated with breach response, and specifically with intentionally concealing a breach.
The Obligation to Report a Data Breach is Often Not Straightforward
Across the world, countries have widely varying laws related to the protection of personal information and even greater variance on the requirements to disclose a breach of such information. Even within the United States, the definitions of “personal information” and “data breach” differ greatly from state to state, with no two state laws being identical, so businesses, particularly those operating on a national or global scale, must conduct multijurisdictional analyses to determine whether an obligation to disclose a given breach exists and, if so, the scope of the obligation. Often there are inconsistent laws and obligations, and regulatory and consumer expectations can vary greatly based on the nature, scope and context of the breach.
Many laws require disclosure of a data breach only if there is a “reasonable risk of harm” to the individual(s) whose personal information was unlawfully accessed and/or exfiltrated. This requires businesses to determine whether, based on the totality of circumstances, it is reasonably likely that a breach of personal information will harm affected individuals. On the other hand, some laws do not require any risk of harm. Further, given that the forensic review of a data breach evolves over time, it is not uncommon for the initial findings to change dramatically over the course of a breach response. What often appears to be a limited attack can become a wholesale loss of sensitive consumer or business data – and oftentimes both simultaneously.
The legal analysis is then complex, fact-specific and ever changing. Perhaps, for example, only a portion of the sensitive data was exposed (e.g., only the last four digits of a social security number or only an individual’s last name). Maybe, due to insufficient logs, forensic investigators cannot rule out the possibility that an unauthorized third party accessed the sensitive data or moved laterally into human resources data or databases containing consumer financial information. Or perhaps evidence suggests that the cybercriminals appear to be staging sensitive data for exfiltration, but have destroyed any evidence that data was actually taken. These are but a few examples of factors that can make the obligation to report far from straightforward.
As Uber’s 2016 breach response indicates, the difficulty of ascertaining a business’s breach notification obligations is not a defense to those company executives who intentionally conceal a breach. As discussed below, company executives who ultimately have to decide whether to disclose a breach should take notice of the potential consequences of making the wrong decision.
A Case Study in Intentionally Failing to Report a Breach
The Complaint alleges that, in response to Uber’s 2016 breach, former CSO Joseph Sullivan “engaged in a scheme to withhold and conceal from the [Federal Trade Commission] both the hack itself and the fact that that data breach had resulted in the hackers obtaining millions of records associated with Uber’s users and drivers.”
At the time of the breach, Sullivan was helping oversee Uber’s response to a Federal Trade Commission (FTC) investigation into Uber’s data security practices, which had been triggered, in part, by another Uber data breach that occurred in or around 2014. Sullivan was “intimately familiar with the nature and scope of the FTC’s investigation.”
About 10 days after providing sworn testimony to the FTC, however, Sullivan received an email from “[email protected],” claiming to have found a “major vulnerability in uber [ sic ],” and threatening that the hacker “was able to dump uber [ sic ] database and many other things.” Within days, Sullivan’s security team realized that an unauthorized person or persons had accessed Uber’s data and obtained, among other things, a copy of a database containing approximately 600,000 driver’s license numbers for Uber drivers.
Based on available information, this massive data breach likely triggered Uber’s duty to notify under numerous jurisdictions’ data breach laws. By contrast, the 2016 breach appeared significantly more expansive than the 2014 breach, in which a cybercriminal accessed over 100,000 individuals’ personal information on a cloud-based data warehouse.
Based on the Complaint, Sullivan allegedly took affirmative measures to conceal the data breach and the resulting exposure of data. Among other things, he allegedly:
- negotiated with the cybercriminals to pay $100,000 in exchange for the hackers to sign a nondisclosure agreement (NDA), “falsely represent[ing] that the hackers had not obtained or stored any data during their intrusion,” even though “[b]oth the hackers and Sullivan knew at the time that this representation in the NDA was false;”
- “instructed his team to keep knowledge of the 2016 breach tightly controlled;”
- “never informed the FTC of the 2016 data breach, even though he was aware that the FTC’s investigation focused on data security, data breaches and protection of [Personally Identifiable Information];” and
- “removed certain details … that would have illustrated the true scope of the [2016] breach” from a prepared summary for the new Uber CEO – changes which “resulted in both affirmative misrepresentations and misleading omissions of fact.”
Sullivan’s alleged motives to cover up the 2016 hack and data breach are the concerns that all companies must assess in connection with their breach notification responsibilities.
First , the Complaint appears to allege that one motive to conceal the breach was to prevent further reputational harm to the company. Like Uber’s customers, individuals entrust their data to companies on a daily basis, from making purchases to requesting services. Companies know, therefore, that they risk losing revenue if their customers lose confidence in the protection of their data.
Understanding this dynamic, he “became aware the attackers had accessed [the cloud] in almost the identical manner the 2014 attacker had used,” according to the Complaint. “That is, the attackers were able to access Uber’s source code on GitHub (this time by using stolen credentials), locate [a cloud] credential and use that credential to download Uber’s data.” As such, the Complaint appears to allege that both the embarrassment of falling victim to the same attack vector and the associated reputational consequences may have motivated Sullivan to conceal the breach.
Second , the Complaint appears to allege that another motive for concealing the breach was to prevent additional regulatory scrutiny. In the United States, companies like Uber are subject to many state- and industry-specific regulators (e.g., state Attorneys General, the Securities and Exchange Commission, FTC) — often simultaneously. Additionally, outside of the United States there are numerous laws and data protection or other authorities that govern data breaches.
At the time of the breach, Sullivan was actively responding to the FTC’s inquiries to assist in reaching a settlement related to the 2014 breach. For example, he approved language to the FTC representing that “‘all new database backup files’ had been encrypted since August 2014,” when in fact, they had not. Sullivan’s fears may not have been misplaced. In light of the new information regarding the 2016 breach, the FTC effectively withdrew its previous settlement terms and added requirements to the resolution with Uber.
Ultimately, it appears that such attempts to rationalize and avoid Uber’s breach notification responsibilities may have led Sullivan to engage in the actions he did.
Lesson Learned
In a public statement, the FBI advised that, “[w]hile this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice.” In effect, the consequences of failing to disclose a data breach are the most extreme in cases where a notification obligation clearly exists and the company and its officers consciously decide to circumvent that obligation during the course of an ongoing investigation. While companies have incentives to rationalize and avoid their disclosure obligations (e.g., reputational harm, regulatory oversight, expense), this incident highlights the potential consequences executives should be aware of when weighing the business decision to disclose a breach. Disclosure and direct individual notification of a data breach is now the expectation, and the decision to not disclose must be very carefully weighed – taking into account law, regulatory practice and consumer/customer expectations. One size does not fit all, and the nature, scope and circumstance of the specific breach must be carefully assessed in real time.
Ultimately, the legal analysis to determine whether an obligation exists and the business decision to disclose the same are nuanced and complex. If you experience a data breach, it is best to retain counsel who is highly experienced in the nuances of data breaches and the complexities of data breach notification laws for help determining whether and how to disclose a given breach.
How COVID-19 is Shifting Tax Reporting Regulations
Cci media group launches book publishing division targeting global audience in compliance, ethics, risk, internal audit.
Colin Jennings, Ericka Johnson and Dylan Yépez
Related Posts
Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches
The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...
What Can Your Organization Learn From the New CISA Strategic Plan?
Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...
Fostering Risk Transparency in the Organization
Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim...
Exploring Parametric Insurance as an ESG Authentication Tool
Parametric insurance, which has long been popular in disaster recovery, is gaining steam as a proxy for proving the effectiveness...
Jump to a Topic
Privacy Policy
Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security.
Got a news tip? Get in touch . Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls.
Browse Topics:
- Compliance Podcasts
- eBooks Published by CCI
- GRC Vendor News
- On Demand Webinars
- Resource Library
- Uncategorized
- Whitepapers
© 2022 Corporate Compliance Insights
Privacy Overview
Golden Data
May 13, 2019
Member-only
The Uber Breach Story: On how security woes can lead to a criminal complaint
Uber security and privacy woes started in 2011 with reports of parties treating guest to the Uber’s “God View” . Apparently there were two versions of the “God View”. The anonymized version, which as OK, and the “Creepy Stalker version” , showing whereabouts and movements of specific Uber users in real time . Entrepreneur Peter Sims was featured in the creepy…
More from Golden Data
A community of professionals who help answer each other’s questions about data laws.
About Help Terms Privacy
Get the Medium app
Golden Data Law
Golden Data Law is a mission driven benefit corporation that provides legal services to the not-for-profit community and to governmental agencies.
Text to speech
IMAGES
COMMENTS
Sept. 15, 2022 Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it...
Uber responding to 'cybersecurity incident' after hack Ride-hailing company confirms attack after hacker compromises Slack app and messages employees Dan Milmo and agencies Fri 16 Sep 2022...
The New York Times is reporting that Uber has been hacked. Here's what we know so far concerning this breaking story. The ride-hailing and food delivery company has suffered a systems breach,...
October 11, 2022 4 Lindsay Shachnow (COM'25) Last month, the internal databases of American multinational ride-share company Uber were hacked. The unnamed 18-year-old who claimed responsibility for the hack said Uber's ineffective security measures made the breach possible.
July 2022 July 26. Uber Data Breach Cover-Up: ... The case will see Uber's former chief security officer, Joe Sullivan, stand trial for the breach - the first instance of an executive being ...
data breach HackerOne Uber Transportation South African car subscription service Planet42 raises $100M equity, debt Tage Kene-Okafor 1:05 AM PST • February 22, 2023
What Caused the Uber Data Breach in 2022? Edward Kost updated Feb 16, 2023 The Uber data breach began with a hacker purchasing stolen credentials belonging to an Uber employee from a dark web marketplace. An initial attempt to connect to Uber's network with these credentials failed because the account was protected with MFA.
Uber was hacked in 2022 because an employee did not recognize that they were a victim of social engineering. Cybersecurity awareness training can arm employees with valuable information so that they know what to do when suspicious activity occurs at work.
According to the 2022 Ponemon Institute's report, insider attacks increased by 47%, resulting in compromised user credentials. An attempt was made by the hacker to socially engineer Uber workers, which resulted in access to a VPN and the company's internal network. Allegedly, an 18-year-old hacker is responsible for stealing data from Uber.
Uber 2022 • The company was hacked in September 2022 but did not officially announce the breach until December 2022. • 70,000+ Employees data was stolen and posted online. • The hacking occurred through a third-party vendor who were first compromised where the hacker gained entry. The hacker was identified, and Uber is in a legal battle over the security breach.
The September 2022 Uber data breach included a hot new cyberattack tactic - the Multi-Factor Authentication (MFA) fatigue attack. Cybersecurity experts Sherri Davidoff and Matt Durrin dive into the details of the 2022 Uber cyber attack, explain MFA fatigue attack tactics, and offer a couple of quick tips to reduce your organization's risks.
The case pertains to a breach at Uber's systems that affected data of 57 million passengers and drivers. The company did not disclose the incident for a year.
The Uber Hack - A step by step breakdown of the 2022 Uber data breach Watch on On Thursday, September 15th, Uber confirmed reports of an organization-wide cybersecurity breach. This is an evolving situation, but we will bring you here the latest information and commentary as we get it.
A hacker compromised an employee's account on workplace messaging app Slack and used it to send a message to Uber employees announcing that the company had suffered a data breach, according...
The September 2022 Uber databreach included a hot new cyberattack tactic - the Multi-Factor Authentication (MFA) fatigue attack. Cybersecurity experts Sherri Davidoff and Matt Durrin dive into...
Uber Breach 2022 Analysis On September 15, Uber officially confirmed an attack resulting in an organization-wide cybersecurity breach. According to the security investigation, the organization's system was severely hacked, with attackers moving laterally to gain access to the company's critical infrastructure.
UBER DATA BREACH CASE STUDY | Request PDF UBER DATA BREACH CASE STUDY Authors: Aditya Dubey Illinois Institute of Technology Kevin Vaccaro Abstract Data breach of UBER No file available...
On November 21, 2017, Uber announced that the personal data of 57 million users were stolen in a breach, including 600,000 drivers in the United States. Reuters just reported that " Uber ...
On Thursday, September 15, Uber, the ride-sharing giant, had a security incident after reports claimed a hacker had breached its internal network. Uber joins the ranks of other organizations, with 45% of businesses having experienced a cloud-based data breach over the past year.
But a business's duty to disclose a data breach is not always clear, and there are often a myriad of laws, regulatory practices and consumer expectations when navigating a breach. Using Uber's 2016 breach as a case study, company executives must be aware of and recognize the business and personal consequences associated with breach response ...
NY: The NY AG also resolved the Uber's 2014 data breach (notified to NY AG on February 26, 2015) togeher with the Uber 'God View' investigation (See, Case Study: Uber's 'God View ...