UBER HACK – LESSONS FROM THE ATTACK

by Posted on

Hi there!

Thank you for continuously following our newsletters! We are certain you have learnt so much during this period and are delighted to keep bringing you wonderful insights and contents on Data Protection and Cyber-security.

Its probably safe to assume that you may have used an Uber ride or know someone who has used an Uber ride in the past. Uber being one of the biggest companies in the world and probably the biggest in ride hailing, Uber is estimated to have well over 50 million customers worldwide and implements state of the art technology[1] in running its business. How then was an 18-year-old hacker able to get unauthorised access to Uber’s database and gain possession of confidential data, including personal data of Uber’s riders and internal corporate communication?

Uber announced through its website[2] on September 19, 2022, that an attacker had compromised the account one of its contractors and made use of that to access other employee accounts within the company giving the attacker elevated permissions to a number of tools, including G-suite and Slack (which the company uses for internal communications). It is also worth noting that Uber had suffered a similar breach in late 2016, which was initially concealed.

In our previous article, we had discussed the social engineering cyber-attack technique used by cybercriminals in carrying out their schemes. Social Engineering is an act of manipulation that exploits human error to acquire private information, access, or valuables[3]. This form of scam tends to lure unsuspecting users into exposing data, spread malware infections, or give access to restricted systems. The attacker who claimed responsibility for the hack revealed that he had employed a social engineering strategy to carry out the hack by sending a text message to an Uber worker impersonating a corporate information technology personnel. The worker was then persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems.

Considering the size, and level of exposure of Uber, it is surprising that such tactics can be employed to expose the company to such a breach. This attack raises the importance of adequate and continuous cyber-security awareness for both the private and public sectors. Employers need to continuously invest in educating their employees on how to detect and handle possible cyber threats, regardless of the techniques being employed. Emphasis is laid on the word “continuous.” This is particularly important because cyber criminals are continuously evolving techniques and scams, and without proper knowledge, one may easily fall victim of hackers. This responsibility is not for employers alone, individuals can also protect themselves from loss and liability that may arise from a cyber-attack.

Another crucial step to take in mitigating cyber threat is through the use of appropriate information security infrastructure. Organisations are advised to invest in computer software and tools that aid in identifying potential cyber threats, harmful websites on the internet, and possible phishing links.

Other means of preventing similar attacks in the future include:

  1. Use multifactor authentication to ensure personal accounts are protected against compromise[4].
  2. Be cautious of tempting offers and think before accepting them, especially when they seem too good to be true.
  3. Avoid oversharing on the internet that could give hackers access to sensitive data.

There have been several implications of the Uber breach on the company, including legal liabilities arising from it. After the 2017 breach occurred, a senior executive at Uber was dismissed from office because he failed to disclose details of the breach to the relevant regulator, thereby possibly obstructing justice (He has been found guilty and convicted for his role in the concealment)[5], as well as those affected by the breach. While this was more of a personal loss, Uber had earlier entered into a settlement with          the hacker to delete and refrain from exposing the obtained information in exchange for a sum of money[6]. Uber which has now been exposed on two separate occasions may have also suffered reputational damage due to its inability to protect Personal Information.

We should take lessons from the Uber breach and protect ourselves and our businesses from damages which may arise because of a breach. It is important to check the actual email address to ensure a message is from a particular organisation or person it appears to be from. Also, don’t click on an emailed link or attachment without verifying the email’s authenticity.

Cheers!

[1] Defined by the Oxford Dictionary to mean ‘the most recent stage in the development of a product, incorporating the newest technology, ideas, and features’.

[2] Uber Security Update – https://www.uber.com/newsroom/security-update/ accessed on the 27th of October, 2022

[3] Nigeria Data Protection Academy https://blog.ndpracademy.ng/the-effect-of-social-engineering-insights-from-the-samsung-expose/ accessed on the 27th of October, 2022

[4] The effect of social engineering: insights from the samsung exposé – (NDP Academy) 2022, The effect of social engineering: insights from the samsung exposé – blog – ndpr academy accessed on the 27th of October, 2022

[5] https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach accessed on the 2nd of November, 2022.

[6] https://lifelock.norton.com/learn/data-breaches/uber-data-breach-affects-57-million-rider-and-driver-accounts#

Leave a Reply

Your email address will not be published. Required fields are marked *