Uber’s track record with data security isn’t great. The most recent confirmed Uber data breach in April 2023 exposed drivers’ sensitive information, and now another incident is under investigation. What went wrong? How did the latest Uber data breach occur, and how did the company respond? In this article, we’ll explore the causes, Uber’s response, and best practices to prevent future data breaches.
In April 2023, hackers targeted Uber’s law firm, Genova Burns LLC, which handled sensitive driver information. According to a letter published on April 4, the firm noticed unusual activity in its IT systems in January and immediately hired a forensic security team to investigate. The investigation confirmed that an unauthorized party had accessed the law firm’s systems.
Hackers accessed sensitive data drivers had given to Uber, including names, Social Security numbers, and Taxpayer Identification Numbers. With this information, scammers can commit identity theft, open fraudulent accounts, and file false tax returns.
This stolen data can also be sold on the dark web, fueling further criminal activities. Neither Genova Burns nor Uber has disclosed how many drivers were affected by the breach.
In a statement sent to The Register, an Uber spokesperson acknowledged the attack on Genova Burns and confirmed that the company had notified the affected drivers. However, Uber did not respond to The Register’s question about how many drivers had their records stolen, leaving the scope of the breach unclear.
In its letter to affected drivers, Genova Burns indicated that it had investigated the data breach to determine its extent and secured the company’s systems by resetting all passwords. The firm also alerted law enforcement and said it was cooperating with the investigation.
Although Genova Burns promised to implement additional security measures, the letter did not specify what those measures would be. As a precaution, the law firm also offered affected drivers 12 months of complimentary identity monitoring services.
To our knowledge, before the 2023 Uber data breach, the law firm had not been publicly linked to any other security incidents affecting clients. For Uber, however, this wasn’t the first time it faced a data breach. The ride-sharing service has a patchy record when it comes to data management.
{SHORTCODES.blogRelatedArticles}
The April 2023 Uber data leak is just the latest in a string of cybersecurity incidents the company has faced in recent years. Let’s take a closer look at some of the most notable breaches Uber has experienced over the past five years.
In December 2022, Uber experienced a data breach when a hacker group called UberLeaks posted sensitive company information on a hacking forum. BleepingComputer, the first media outlet to report on the breach, initially suspected that the data had been stolen during a previous cyberattack in September. However, Uber clarified that it was linked to a security breach at Teqtivity, a third-party vendor responsible for managing Uber’s IT assets.
BleepingComputer found that the leaked data included email addresses and Windows Active Directory information for over 77,000 Uber employees. Security researchers confirmed that this cyber incident affected only Uber’s internal corporate systems, not its customers. Nevertheless, the exposed data put all affected employees at risk of phishing attacks and other cyber threats (BleepingComputer, 2022).
In September 2022, a hacker compromised an Uber contractor’s account by likely purchasing their password from the dark web after malware infected their personal device. This was a social engineering attack because the hacker repeatedly attempted to log in, and the contractor mistakenly approved a two-factor authentication request.
This approval granted the hacker access to multiple employee accounts, including tools like G-Suite and Slack. The hacker then posted a message on the company-wide Slack channel and changed Uber’s internal settings to display a graphic image. Uber suspects the attacker is linked to the Lapsus$ hacking group, which targeted several tech companies like Microsoft, Cisco, Samsung, Nvidia, and Okta in 2022 (Uber, 2022).
In August 2020, the cybersecurity firm Cyble discovered personal information from Uber Eats customers and drivers available on the dark web. The Cyble research team discovered files containing sensitive information, including the login credentials of 579 Uber Eats customers and information on 100 delivery drivers. The leaked data included full names, contact numbers, trip details, bank card information, and account creation dates (Cyble, 2020).
If your data has been breached, don’t panic. Below are six simple steps you can take right now to protect yourself.
If your personal information was exposed in a data breach, the company will usually send you a data breach notice. If you get one, don’t ignore it. Keep all the documents it sends and follow its recommendations closely.
Keep an eye on your email, social media, and financial accounts and set up alerts to get notified of any unusual activity. If you stay aware of unexpected changes, it can help you catch potential scams early so you can report or address them quickly. Also, check your credit report regularly to spot any suspicious activity, like loans or credit cards you didn’t apply for or unfamiliar addresses linked to your profile.
Contact the primary credit bureau in your country to place an initial fraud alert on your credit report. This alert adds an extra layer of security, making it more difficult for anyone to open new accounts in your name without additional verification. For even stronger protection, consider freezing your credit, which prevents anyone from accessing your credit report or opening new accounts in your name.
If you’re affected by a data breach or suspect identity theft, report it to the appropriate authority in your country. In the US, this is the Federal Trade Commission (FTC). If your Social Security number was compromised, also contact the Social Security Administration (SSA) to prevent misuse.
Outside the US, similar steps apply:
If sensitive personal information, such as a national ID or tax number, is compromised, contact the relevant government agency to secure your records and prevent identity theft.
Be cautious of emails, texts, or calls pretending to be from the breached company. Scammers often exploit data breaches for phishing attacks. A notable example is the 2017 Equifax breach, which exposed the personal information of nearly 150 million people. When Equifax set up a claims website, cybercriminals created fake sites to steal even more data from people filing legitimate claims.
Most data theft can be prevented. By taking these additional precautions, you can keep your sensitive information safe and out of the wrong hands.
The post The latest Uber data breach: Everything you need to know first appeared on NordVPN.