Uber has breached yet another time with a high-profile data leak that exposed sensitive employee and company data by compromising an AWS cloud server used by a third party that provides Uber with asset management and tracking services.
A threat actor named “UberLeaks” began posting data they claimed was stolen from Uber and Uber Eats. The data turned up on the BreachForums hacking forum, that included employee email addresses, corporate reports, and IT asset information stolen.
No user information appears to have been compromised in the breach, which appears to entirely have affected corporate assets. The personal information of 77,000 Uber employees was leaked.
Information exposed by the attack included information housed on various Uber employees’ IT devices, including serial number, make, models, and technical specifications, as well as employee information, including first and last names, work email addresses, and work location details, according to Teqtivity.
Uber acknowledged the incident and pointed the media to a breach notification by a company called Tequivity, which it uses for asset management and tracking services. It’s unclear if that access was due to a misconfiguration of the cloud bucket or if there was an actual compromise to blame.
Teqtivity has notified affected customers and is currently investigating as well as working to contain the incident, according to the notification. It’s unclear if the breach affects other companies beyond Uber.
This latest incident is indeed not Uber’s first when it comes to data breaches, as it has experienced several highly publicized incidents over the past several years that have had significant ramifications for the company.
Previous third-party breach that occurred in 2016 and exposed the data of some 57 million customers and drivers turned into an absolute public-relations nightmare for Uber, the effects of which are still being felt.
Uber also experienced a breach in September and was forced to take some of its operations offline due to the compromise of its own internal systems, when an attacker socially engineered his way into an employee’s VPN account before pivoting deeper into the network. There are some initial clues that tie the incident to the well-known cybercriminal extortion group Lapsus$.
The latest Uber incident, like the one in 2016, once again highlights the third-party risk that all enterprises face when partner companies are responsible for or have access to corporate data and assets, security experts say.