This postmortem document examines one of the more high-profile cybersecurity breaches of the last several years – the series of data breaches perpetrated against popular ride-sharing application and service, Uber. The document deconstructs the vulnerabilities and failures enabling the success of these intrusions occurring in quick succession between 2022 and 2023. Part of a series of cyberattack postmortems, this document contains a profile on the victimized organization and a recap of key information about how the attacks were committed.
As is almost always the case with events of this nature, there is more than one vulnerability exploited by threat actors to successfully effectuate these attacks. In fact, there are often a number of failures within different areas of the victim organization’s overall InfoSec strategy which, combined, enable threat actors to achieve their criminal goals, and which make the follow-on consequences of the initial breach far worse over time.
Shockingly, nearly all the enormous, costly data breaches and cyberattacks examined by this series share one glaring commonality. It is a consideration all too frequently overlooked by even the most sophisticated InfoSec programs and one which, even in the aftermath of a catastrophic security breach, is still left inadequately addressed. The commonality threading through this and most other cybersecurity failures: inadequate External Data Privacy Management or “EDPM”.
THE VICTIM ORGANIZATION
Uber Technologies is the undisputed market leader in an industry it is largely credited with launching. Its wildly popular ride-hailing app radically transformed and democratized the taxi-livery industry all over the world. The dramatic adoption of the technology propelled Uber Technologies to the pinnacles of success, making it, for a time, the world’s most valuable startup. Prior to its 2019 IPO, Uber was valued by investors at as much as $120 billion. Following its May 9, 2019, IPO, Uber again made history with the biggest first-day value loss in American history proving the axiom that “the bigger they are, the harder they fall”.
The same axiom can be equally applied to the information security fortunes of the largest, highest-profile organizations. And the losses following a data breach can have financial consequences no less devastating in nature. Despite the rise and fall of its stock valuation however, Uber still reigns supreme in the ride-hailing industry which is here to stay and on a global growth vector for the foreseeable future. The company continues to innovate and re-imagine the face of industries including supply chain logistics (Uber Freight), self-driving/autonomous vehicles, food delivery services (Uber Eats) and more.
Despite being a web-native technology company employing some of the world’s leading development and InfoSec talent on staff, Uber’s disruptive business model and meteoric growth was not enough to protect the organization from the shockingly simple yet effective attacks made by cyber criminals and other threat actors.
KNOWN FACTS OF THE ATTACKS
As noted, Uber has been plagued with three distinct breaches in a six-month period between 2022 and 2023. The most damaging and embarrassing hack was the September 2022 breach, which we’ll examine first.
On September 15th 2022, a hacker applying a common social engineering strategy infiltrated Uber’s network, gaining unrestricted access to administrative level controls. Although according to the company’s claims that no sensitive user data was accessed, far more sensitive internal data was indeed revealed to the threat actors behind the hack. And as is often the case, it is access to the internals of an organization – in this case Uber’s AWS deployment, its Sentinel One endpoint security detection system and even its Slack internal communications platform – which enables long-term ramifications to overall organizational security.
Following the successful infiltration of Uber’s internal network, secondary attacks managed to breach the company’s VPN and uncovered Microsoft Powershell scripts containing the login information for an administrative user within Thycotic, Uber’s Privileged Access Management (PAM) system. This revelation significantly escalated the gravity of the security breach, as it enabled unrestricted administrative access to all of Uber’s critical services, encompassing not only Uber’s Amazon Web Services (AWS), but also DA, DUO, Onelogin, and GSuite applications. Moreover, the intruder purportedly obtained access to Uber’s bug bounty reports, which typically contain information about security flaws that have not yet been resolved.
The third set of successful breaches was accomplished via third party channels. Evidently, unauthorized access to the networks of one of Uber’s contracted law firms compromised digital supply chain security. This compromise rendered Uber vulnerable to malicious code injection and other threats conveyed via open-source or other reusable code.
INITIAL CONSEQUENCES OF THE ATTACK
The September 2022 attack, perpetrated by a hacking group known as “Lapsus$” resulted in the exposure of sensitive data, including source code, financial data, and employee information. The reputational hit to Uber (which had already suffered humiliating security failures in 2014, 2016, 2017, 2018 and 2020) was additionally bruised when the hackers taunted the company online. Posting screenshots on social media and in Dark Web marketplaces, proving they had internal access to Uber’s driver database, customer database, and financial systems and soliciting other threat actors to purchase the purloined data.
Compounding the pain is the fact that the 2022 and 2023 breaches perpetrated via third party vendor relationships and software supply chains originated within the networks of the very same legal firms Uber had engaged to defend against legal action resulting from Uber’s breaches between 2014 and 2020. In fact, at every step of the way, the hackers seemed to delight in publicly shaming Uber for its clear inability to protect sensitive networks, employee, and customer PII and other critical data systems.
Through the 2022-2023 period, Uber suffered the exposure of untold volumes of Uber user data (ostensibly including names, addresses, phone numbers, social security numbers, drivers’ license and registration numbers, credit card information, etc.). Uber also lost internal systems device information, like serial numbers, makes, models, technical specifications and employee user Information. Uber admits employee data was also exposed. Employees’ first and last names, work email address, work location details and other sensitive employee data is often then used to power additional hacking attacks and data breaches using social engineering methods. This fact illustrates how the initial exposure drives the longer-term consequences commonly associated with data breaches.
ATTACK VECTORS AND EDPM
The hackers behind Uber’s recent spate of embarrassing breaches leveraged several types of social engineering attacks to gain unauthorized access to the sensitive data. They did not waste significant time and effort trying to break military grade encryption or searching millions of lines of code to uncover possible vulnerabilities to exploit. Today, attacks against traditional InfoSec infrastructure are decreasing in frequency compared to attacks leveraging social engineering strategies. This is because it is far easier to trick a live person into sharing their credentials than it is to beat the powerful computing of exceedingly robust security measures.
As detailed in Privacy Bee white paper titled, “Mitigating Exposed PII Dramatically Lowers Risk of Data Breach via Social Engineering”, social engineering attacks are now the predominant vector for attacks on organizations of all size and composition. The paper notes, “The 2022 Incident Response Report from cybersecurity firm, Palo Alto Networks, publishes a visualization illustrating criminals’ increasing preference for exploiting external data privacy gaps. Note that in 2022, attacks on internal data structures through brute force credential attacks and through hacking to exploit software vulnerabilities were responsible for a combined 40% of initial, unauthorized access (data breach) to information systems. On the other hand, Phishing, Social Engineering and otherwise compromised credentials made up 48% of unauthorized access.”
Social Engineering attacks all rely on the availability of unsecured external data and the absence or weakness of External Data Privacy Management (EDPM) to generate the scams used to spoof, trick or fool their way into secured systems. Hackers use social engineering methods like Phishing/Spear Phishing, Smishing, Business Email Compromise, Whaling and others to deploy malicious code, spring malware or ransomware attacks or simply steal data such as employee and customer PII, trade secrets and other valuable data.
Two Factor Authentication Fatigue Attack
In the recent Uber example, the breach likely began with stolen login credentials linked to an Uber staff member the hacker was able to purchase through a dark web marketplace. (Possibly exposed in one of the numerous earlier data breaches of Uber systems.) Or, as some have suggested, the initial credentials were stolen via a phishing scam. In either event though, Uber had two factor authentication in place which should have protected against unauthorized entry even if a hacker had a stolen credential to log in.
The first attempt to access Uber’s network using these stolen credentials failed due to the account’s multi-factor authentication (MFA) protection. To bypass this security measure, the hacker posed as a member of Uber’s security team and contacted the employee via their personal WhatsApp profile (again, the result of unsecured external data). Posing as a member of Uber’s IT department, the hacker messaged the target individual requesting they authorize the MFA notifications sent to their mobile device. The hacker inundated the employee’s phone with a barrage of MFA requests, creating pressure to convince them to comply – a process referred to as a “2FA Fatigue Attack”. Ultimately, the Uber employee, wishing to cease the flood of MFA requests arriving on his phone, approved one of the MFA requests, granting the hacker network access.
The simple flow chart below illustrates the initial intrusion and how, once inside, the hacker was able to infiltrate multiple, additional information systems.
Third-Party Vendor Attack
In 2023, after the social engineering attack illustrated above, threat actors trained their sights on law firm Genova Burns LLC in Newark, New Jersey. Genova Burns had been representing Uber Technologies, defending them against claims resulting from Uber’s earlier troubles with data systems breaches.
In a letter sent to Uber drivers whose PII was exposed in the hack of Genova Burns’ systems, the firm wrote:
“On January 31, 2023, Genova Burns became aware of suspicious activity relating to our internal information systems. In response, we engaged outside forensic and data security specialists to investigate the nature and scope of the activity. We determined that an unauthorized third party gained access to our systems and certain limited files were accessed or exfiltrated between January 23, 2023 and January 31, 2023.”
Investigators hired by Genova Burns determined that the data was accessed likely due to a phishing attack aimed at the organization resulting in the exfiltration of drivers’ Social Security and tax identification numbers.
Third-party attacks are an increasingly popular methodology used by hackers to gain access to high profile, high value targets. The largest organizations make attractive targets to hackers, but they also tend to have the largest, most robust budgets for information security. However, the vendors, partners, contractors and other third parties serving the large target organizations are often smaller, with fewer resources to apply to InfoSec. And because modern business operations rely heavily on integrated information systems for things as mundane as purchasing, resource planning, logistics, document management and others, third parties are frequently afforded access (typically limited) to the information systems of their large client organizations. It is these pathways to entry that hackers exploit by attacking third party vendors’ systems.
LONGER TERM CONSEQUENCES OF THE ATTACK
The long-term consequences of these breaches on Uber Technologies range from financial loss to legal action – from loss of sensitive data to reputational damage. All these consequences can have a dramatic impact upon any organization’s ability to remain profitable and operational.
The well-regarded Ponemon Institute recently released a study noting that average costs associated with data breaches has risen 12% over the last five years and continues to rise. Costs can include spending on incident response and mitigation, investigation of the breach, compensation to affected parties/customers/employees/partners, investment into new security efforts and penalties imposed by regulatory bodies and governments.
Legal action is another giant consequence of data breaches wherein those affected file legal claims against the breached organization which then must spend significant sums to defend against these claims. In some cases, class-action lawsuits are brought by large groups of individuals whose data was compromised. In other cases, corporate cases are brought by business partners whose intellectual property was compromised in a breach. Being forced to focus on legal struggles is not only costly, but takes time and energy away from core business activities and increases operational downtime.
For an organization like Uber Technologies however, the reputational damage of data breaches is likely the most devastating consequence. The exposure of thousands of Uber drivers’ PII is likely to have a depressive effect on Uber’s ability to attract new drivers to the platform. Exposure of thousands of customers’ credit card and other sensitive data will equally depress the influx of new users of the Uber ridesharing application or its subsidiaries like Uber Eats. Neither customers nor drivers want to expose themselves to the prospect of having their information stolen.
Moreover, as is evident with the Uber example, the negative effects of data breaches seem to form a feedback loop. The recent 2022-2023 breaches were likely enabled by data stolen from Uber in breaches in earlier years. Data stolen is typically posted for sale or even for free on the Dark Web and used by other hackers to perpetrate additional social engineering attacks, leveraging the relevancy of the personal identifiers found in those stolen files. Each subsequent breach deals a blow to the organization’s reputation and financial health, at the same time it provides the seeds for the next attacks to be planned.
The existence of unsecured external data – employee data, vendor employee data, etc. – plays an outsized role in hackers’ ability to effectuate the social engineering scams that result in repeated breaches. Following each successful breach, Uber (like so many other companies) focuses on hardening their traditional InfoSec policies. More and better two factor authentication; tighter endpoint security; improved password management; increased employee awareness training. All of which are not unnecessary. However, all these protections are rendered irrelevant if an organization does not invest time and effort into securing external data and focusing on EDPM to remove as much ammunition as they can from the battle, which hackers need in the creation of social engineering attacks.
EXTERNAL DATA PRIVACY MANAGEMENT
Avoiding social engineering attacks and the resulting data breaches depends on securing external data privacy. This means scrubbing the external data of all relevant employees (both internal and third party) from the many sources of PII available. Removing identifiable information that can be used to generate phishing and other scams from hundreds of data brokers, people search sites and public data sources sounds like an insurmountable task. But it is achievable, and it is truly the only way to protect against falling victim. Privacy Bee for Business is a leader in delivering EDPM solutions that are proven effective at reducing the digital attack surface and adding the necessary data privacy layer of protection atop the rest of the traditional information security practices already widely in use.
It is recommended that all organizations avail themselves of these easy to deploy scans and metrics to determine their existing level of vulnerability when it comes to EDPM.
Privacy Bee’s Employee Risk Management (ERM) is an easy but powerful way to get visibility into your External Data Privacy risk. After just a few minutes to load and configure your employees (usually an exported CSV from your HCM software), Privacy Bee automatically begins scanning hundreds of external sources, searching for any exposed privacy risks on each employee. Any discoveries are flagged as an exposure and affect that person’s aggregated Privacy Risk Score.
ERM helps quickly paint a full picture of an organization’s real-time cyber risk from external privacy exposures. This privacy intelligence platform is 100% free for all businesses, powered by Privacy Bee.
Privacy Bee’s External Data Privacy Audit another web-based privacy app for quickly and easily scanning employees PII exposure. This tool set lets you build an extensive audit, identifying privacy exposures and vulnerabilities, then extrapolates potential financial impact across your company. It’s a critical view into risk assessment, operational inefficiencies, emerging cyber risk, and External Data Privacy Management.
The EDPA provides unified employee audits, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). Delivering a centralized view into public employee exposures, and insight into the tangible financial impact it has within your organization.
Privacy Bee’s Vendor Risk Management (VRM) extends the privacy bubble to targets outside your organization but who may have a degree of access to your sensitive information systems – including software providers and/or contract development resources. This solution evaluates all your vendor/partner organizations for Electronic Data Privacy risks. It then reports simple Privacy Risk Scores on each company, highlighting each vendor’s risk at a glance. Analytics further break vendors down by department, risk tier, and more, with all thresholds fully customizable. While most vendor risk software stops at the report, Privacy Bee VRM keeps going, offering to work with all your 3rd party vendors 1-on-1 to decrease their vulnerabilities, effectively de-risking your company.
While all these (and other) audits and monitoring services are for use at no cost, removing employee PII from all unsafe locations on the net is what reduces the risk and the attack surface. While this is a function your organization could take on as an internal activity, most organizations prefer to outsource the removal service for your employees and vendors identified as at risk to Privacy Bee. Privacy Bee has teams of experts working 24x7x365 to scrub client employees’ PII from all unsafe corners of the internet.
Putting EDPM solutions like these in place does more to protect against being victimized by threat actors from the outset. And while they are useful as a restorative, to clean up the messes after a breach has occurred, it is best to deploy them from the outset so as to avoid becoming the next high-profile victim.
Speak with Privacy Bee to discuss the External Data Privacy Management at your company.