NewsBite

Uber in ‘unforgivable’ security breach

The hack, allegedly by a teenager, is a stark warning for Australian businesses according to security researchers.

An Uber pick up point at Sydney Airport in Mascot after Melbourne entered a fresh lockdown. Picture: NCA NewsWire / Jenny Evans
An Uber pick up point at Sydney Airport in Mascot after Melbourne entered a fresh lockdown. Picture: NCA NewsWire / Jenny Evans

A security breach of Uber’s internal systems is “unforgivable”, one security expert says, with the hack serving as a warning to Australian businesses to beef-up their identity systems to ensure confidential data isn’t stolen by malicious parties.

Thea attack, which began late last week, caused Uber to suspend employee access to its internal systems, including Zoom, Slack and Gmail. The company has yet to explain how the hacker gained access, though a person purporting to be the hacker, who is allegedly an 18 year old, told The Wall Street Journal they tricked an Uber employee into revealing their password.

That password was then used to breach Uber’s systems including its internal corporate VPN. Information that could have been accessed by the hacker includes trip history and customer addresses.

“Hi @here,” the hacker wrote in a message on Uber’s internal Slack messaging channel. “I announce i am a hacker and uber has suffered a data breach.”

Paul Baird, chief technical security officer at IT security provider Qualys, said that the initial reports, if true, mean there have been multiple failures across Uber’s IT and cyber security defences.

“Hackers breaching corporate networks for ‘fun’ are some of the more dangerous adversaries to come across,” Mr Baird said.

“The initial attack vector of social engineering is still hard to defend against, especially when it came via an SMS, but seemingly not having multi-factory authentication on the corporate VPN and leaving a PowerShell script with access management creds on an intranet system, is unforgivable,” he said.

“As the only goal normally is to gain access to internal systems, cause havoc and steal data, there is very little Uber can do in minimising the impact of the breach. Whereas at least when you are dealing with bad actors that are financially incentivised, there is the possibility of paying a ransom to lessen the pain.”

Mr Baird said he was surprised that Uber’s internal security systems did not pick ‘east-west’ traffic while the hacker traversed its network looking for confidential company information and source code.

John Shier, senior security adviser at security provider Sophos, said the latest attack was a reminder for organisations to make sure they have the ability detect when attackers exploit or steal credentials. (Photo by JUSTIN SULLIVAN / GETTY IMAGES NORTH AMERICA / AFP)
John Shier, senior security adviser at security provider Sophos, said the latest attack was a reminder for organisations to make sure they have the ability detect when attackers exploit or steal credentials. (Photo by JUSTIN SULLIVAN / GETTY IMAGES NORTH AMERICA / AFP)

“Uber needs to learn from this breach, bolster their IT and cyber security education and awareness programs, have or extend MFA and run a sanitisation exercise of systems to make sure scripts and documents sitting on internal systems don’t carry keys to the kingdom.”

Uber last suffered a large breach in 2016, when data of 57 million accounts were compromised including names, email addresses and phone numbers. Around 7 million drivers were also affected. The company was later found to have concealed the breach for more than a year and reached a settlement in 2018 of $US148m ($220m), which was paid on compensation across several US states.

John Shier, senior security adviser at security provider Sophos, said the latest attack was a reminder for organisations to make sure they have the ability detect when attackers exploit or steal credentials.

“Persistent attackers can and will find a way around multi-factor authentication systems that rely solely on time-based one-time passwords or push-based authentication,” he said.

“The need for compartmentalised access to critical resources, strong authentication and detection of identity-based activity is an important part of an organisation’s layered defences.”

An Uber spokeswoman said in statement that the company has no evidence that the incident involved access to sensitive user data, like trip history.

While our investigation and response efforts are ongoing, here is a further update on yesterday’s incident:

“All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational,” she said.

“As we shared yesterday, we have notified law enforcement.

“Internal software tools that we took down as a precaution yesterday are coming back online this morning.”

Originally published as Uber in ‘unforgivable’ security breach

Add your comment to this story

To join the conversation, please Don't have an account? Register

Join the conversation, you are commenting as Logout

Original URL: https://www.heraldsun.com.au/business/uber-in-unforgivable-security-breach/news-story/04dd98116e7d1157d7dfd1b67b33f653