Oh boy. Uber is known for pushing the limits of the law and has dozens of lawsuits pending against it, but this one went too far and now comes the reckoning.
Bloomberg was first to report that hackers stole the personal data of 57 million customers and drivers from Uber, a massive breach that the company concealed for more than a year. Finally, this week, they fired their chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers to “delete the data”. They positioned the incident as a “bug bounty reward”. Yeah, sure!
Victim Of A Simple Credentials Phishing Attack?
Here’s how the press describes the hack: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company.
From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company. If you read between the lines, that could very well be a simple credentials spear phishing scheme, done with some crafty social engineering, or perhaps careless developers leaving internal login passwords lying around online:
Failure To Disclose
Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg. Sullivan, a onetime federal prosecutor who joined Uber in 2015 from Facebook Inc., has been at the center of much of the decision-making that has come back to bite Uber this year.
Bloomberg reported last month that the board commissioned an investigation into the activities of Sullivan’s security team. This project, conducted by an outside law firm, discovered the hack and the failure to disclose, Uber said.
SNAFUS are bad, but cover-ups can kill you
No doubt regulators will also be asking tough questions about why they were not informed about the breach until this week, and class-action lawsuits… heeeere we come!
Uber says it has “not seen evidence of fraud or misuse tied to the incident.” Let’s hope that they are right, but it is highly unlikely that these records were deleted. It’s practically sure they are sold on the dark web or will be. There are many ways that data could be abused by criminals without Uber ever becoming aware.
All organizations would be wise to remember this: SNAFUS are bad, but cover-ups can kill you. You can ask forgiveness for being hacked and handle your disclosure correctly, but many people will find it harder to forgive if you deliberately covered up the truth.
Expect Uber-themed phishing attacks
Now that this is all over the press, the bad guys are going to send Uber-themed phishing attacks in a variety of flavors. First will be emails with warnings like “Your Uber Account Has Been Compromised” sending people to compromised websites where indeed their credentials will be stolen! You can imagine online criminals are going to have a field day with this, since it’s all over the press and people are going to get worried.
I suggest you send the following to your friends, family and employees, feel free to copy/paste/edit:
Uber has suffered a data breach a year ago, and the address and email information of 57 million people were stolen. Uber paid off the hackers who then supposedly deleted the data, but that cannot be confirmed.
Watch out for phishing emails related to this Uber data theft, for instance that your “Uber account was compromised” and that you need to change your password, or anything else related to Uber that could be suspicious.
Never click on a link in an email, always go to the website yourself through your browser’s address bar or a bookmark you have set earlier. Remember, Think Before You Click!
Warn Your Users Today
For our KnowBe4 customers, we have a template ready to go for you right now. You can find it in the Current Events section. Here is how it looks in the console. Send it to your users today!