Uber has found itself at the centre of yet another data breach after hackers stole the private data of its drivers from the IT systems of a third-party law firm.
In a letter to the affected drivers, Uber-associated law firm Genova Burns said that the confidential information including social security and tax identification numbers had been stolen after hackers compromised its IT systems.
"The investigation determined that information you provided to Uber, including your name and Social Security number and/or Tax Identification Number, was among the impacted data," the attorneys told drivers.
The firm said it first became aware of the breach on 31 January, and immediately altered authorities and hired a forensic team to investigate the data breach.
"We determined that an unauthorised third party gained access to our systems and certain limited files were accessed or exfiltrated between January 23, 2023, and January 31, 2023," the letter stated, adding the law firm undertook a "comprehensive review" to determine what the crooks stole.
The attorneys added that they had changed all system passwords and promised to take "additional steps to improve security and better help protect against similar incidents in the future" following the attack.
While Uber has not revealed the number of drivers affected, it said in a statement that the breached data included private information on Uber drivers who had completed trips in New Jersey, and it had not affected customers’ data.
“These drivers have been notified that their social security number and/or tax identification number have been potentially impacted and offered complimentary credit monitoring and identity protection services,” Uber wrote.
“Genova Burns indicates that they are not aware of any actual or attempted misuse of the information, and confirmed that they are taking additional steps to improve security and better protect against similar incidents in the future.”
Third time’s a charm
As per usual, Uber said the affected drivers would receive 12 months of free identity monitoring services to compensate for their stolen data, which could be used for identity theft, or sold on cybercrime forums.
But that won’t be of any comfort. This week’s breach marks the third time in six months that Uber driver’s data has been involved in a data heist on the ride-sharing platform.
In December 2022, the data of more than 77,000 Uber employees was leaked online after a cybercriminal gang dubbed Uberleaks infiltrated IT systems belonging to Teqtivity, used by Uber for IT asset management services.
The compromised data included corporate information such as source code and IT asset management reports, which the hacker group shared with users on Breachforums.
To read more about cyber attacks, visit our Business Continuity Page.
Just two months earlier in September, a teenager affiliated with the Lapsus$ gang accessed Uber's internal systems and downloaded internal Slack messages and a tool used by its finance department to manage invoices.
The intruder revealed they broke into Uber for fun and threatened to release some of its source code. They described the company's security as "awful."
Each breach is just another incident in Uber’s roster of cybercriminal fiascos over the years, most notably the 2016 intrusion which saw criminals stealing 57 million customer and driver records.
Uber famously tried to cover up that attack by passing off a ransom payment, paid to the thieves to recover the data, as a bug bounty award. A series of firings and lawsuits followed.
Small companies aren’t immune to cybercrime
Uber’s most recent cyber fiasco demonstrates that small firms associated with large corporations are no longer safe from malicious activity.
Experts note that an increasing number of hackers are targetting small, third-party firms to gain access to sensitive data belonging to the larger company they are associated with.
Rob Bolton, VP of EMEA at Versa Networks told EM360 that the attack on Uber associate Genova Burns serve as a lesson for other companies to protect their supply chain from malicious activity.
“The belief that small businesses are immune to cyberattacks is no longer valid, as cybercriminals have become aware that targeting less secure networks linked to larger companies is an easier way to gain access to sensitive data. This means that a business is only as secure as its weakest third-party network."
“The recent cyberattack on Uber highlights the increasing risk faced by organisations that are associated with large, well-known companies. Large organisations often have multiple security controls, procedures, and technologies in place.
“However, these controls are only effective if all of their third-party providers are equally secure. Cybercriminals are aware of this and will attempt to breach the weakest link in the chain to gain access to valuable data.”