Estimated reading time: 1 minute, 47 seconds

What to Know About Uber’s Major Data Breach  

Friday, Sep 23 2022
Vulnerabilities
Written by  Security Tech Brief

A data breach of Uber Technologies holds multiple lessons for security professionals.

UberThe breach was first announced by what seemed to be a lone hacker who apparently tricked an Uber employee into handing over their credentials. As the Associated Press reports, the company said its services, temporarily taken down as a precautionary measure, were operational again. Uber said there was no sign the hacker had accessed ride histories or other “sensitive user data.”

It wasn’t immediately clear how long the hacker was inside Uber’s systems or how much data they took. The hacker self-identified as an 18-year-old to one security researcher who communicated with them. The researchers said the hacker seemed to be motivated by publicity. (As CNN reports, Uber has since claimed that the hacking group Lapsus$ was responsible for the attack.)

The potential damage was significant: The person shared screenshots with researchers showing access to the cloud-based systems where Uber stores sensitive customer and financial data.

As Claims Journal reports, the breach puts focus on a form of social engineering that is becoming more and more widespread, where hackers pose as colleagues and fool employees into giving them access.

Similar social engineering was used in a 2020 cybersecurity incident at Twitter and more recent hacks of tech companies Twilio and Cloudflare. Rachel Tobac, CEO of SocialProof Security, which offers training against social engineering, told Claims Journal that “even super smart tech savvy people fall for social engineering methods every day.”

As hackers increasingly work around multi-factor authentication, many security pros have called for the use of what are known as Fido physical security keys for user authentication.

As The Wall Street Journal reports, the Uber breach highlights how top tech companies are still vulnerable to breaches. Digital identity verification provider Okta and security-focused messaging service Signal have each also disclosed security breaches this year, with Signal blaming third-party vendor Twilio.

As ITP.net reports, the Uber breach spurred calls among the cybersecurity community for companies to “get the basics right.”

According to Ars Technica, this kind of breach will persist until FIDO2 forms of MFA requiring a phone or physical key become more widespread.

Read 769 times
Rate this item
(0 votes)
More in this category: « Cybersecurity Tops U.S. Executives' List of Worries 43% of Workers Take Risks to Skirt Authentication Rules: Study   »

Visit other PMG Sites:
PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.
Ok Decline