Uber. — © AFP JOEL SAGET
In mid-December 2022 Uber reported a new data breach. This is not the first time a data breach has impacted the taxi firm. This time resulting from a compromised third-party vendor.
A spokesperson for Uber has told Bleeping Computer today that the “files are related to an incident at a third-party vendor and are unrelated to our security incident in September.”
It appears that a threat actor leaked source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate data.
The leaked data does not include customer data but contains enough detailed information to conduct targeted phishing attacks on Uber employees to obtain even more sensitive information, like login credentials. This places Uber employees’ sensitive login information at risk and threatens the perimeter of the organization.
Looking into this significant issue for Digital Journal is Almog Apirion, CEO & Co-Founder of Cyolo. Apirion has long been interested in the growing security threat of third-party vendors and how organizations can protect newly vulnerable information obtained by threat actors.
Apirion begins by assessing the issue that has affected Uber: “With the evolving nature of cyber-attacks, Uber’s second breach in a few months emphasizes that companies can no longer blindly trust the security measures of third-party vendors.”
Developing this vulnerability theme, Apirion’s analysis runs: “The more external parties are granted access to a business’s internal infrastructure, the greater the opportunity for threat actors to compromise vulnerable company data.”
With the specific issue, Apirion elaborates: “In this case, enough employee information was stolen to carry out a phishing campaign across Uber’s employees, placing the company at an even greater risk of critical information being stolen. As Uber prepares for users to fall victim to potential email scams, a layered zero-trust security practice, including identity-based access control solutions, is crucial to securing resources at a deeper level.”
In terms of what lessons the wider business community should be drawing from the Uber incident, Apirion advises: “This breach goes to show the importance of a strong incident response plan in place that is not only updated on a regular basis, but also practiced. Companies can achieve full control and visibility over the entire IT ecosystem while protecting against advanced threats by integrating modern zero-trust solutions and implementing strong authentication requirements.”
Apirion further recommends: “As malicious actors expand their attack strategies to external partners, businesses will need to keep pace and prioritize improved security systems. Integrating a combination that addresses the network, the user, and the device makes it significantly more difficult for attackers to access and laterally move within an organization’s internal infrastructure.”