Uber data has become the target of yet another breach, this time via a New Jersey-based law firm the ride-sharing service has used for legal representation.
In a letter to affected parties, law firm Genova Burns said it first learned of the breach on Jan. 31 and that an unauthorized third-party accessed its systems and certain limited files were accessed or exfiltrated between Jan. 23 and Jan. 31.
The Genova Burns letter made clear that there was no indication of any actual or attempted misuse of rider data. The firm’s investigation found that information riders provided to Uber, including names and Social Security numbers and/or tax identification number, was among the impacted data.
Upon learning of the event, Genova Burns said it investigated to determine the nature and scope of the incident and changed all system passwords. The law firm also notified law enforcement and are cooperating with its ongoing investigation and plan on taking additional steps to improve security.
The incident was the third breach involving Uber data over a six-month period, the last two the result of attacks on third parties related to Uber.
Third-party asset management and tracking services company Teqtivity was breached in December when a threat actor leaked Uber data that included employee email addresses, corporate reports, and IT asset information.
Uber confirmed in September that it was hacked in a damaging compromise that included internal systems and the company’s accounts for multiple third-party services. The September hack was attributed to the Lapsus$ group.
Attackers will always prey on small-to-medium-sized businesses working in conjunction with larger businesses, said Matt Mullins, senior security researcher at Cybrary. Mullins said they are typically much softer targets because of a lack of security awareness, funding and staffing.
“There might have been some security and protection around information covered required by law, but outside of that I’d be shocked if they had robust controls in place," said Mullins. "This ultimately lands them in the crosshairs of adversaries, as with all other small-to-medium-sized businesses because they can't defend themselves appropriately to the threat.”
Krishna Vishnubhotla, vice president of product strategy at Zimperium, said that most businesses today rely heavily on third-party services, adding that a typical enterprise business uses more than 1,000 cloud services and applications.
“However, the real issue is the exchange and monetization of sensitive data between different parties,” said Vishnubhotla. “Once this happens, it's challenging for any enterprise to keep track of where this data resides at all times and if it’s properly protected. With more companies adopting mobile as a delivery platform, this trend will only accelerate, since it is economic and business-sensible. But, if we don't adopt risk-based access strategies, we will pay with our privacy.”
Piyush Pandey, chief executive officer at Pathlock, added that enterprises need to manage third-party access to core business systems with the strictest of access controls.
For public, regulated companies like Uber, Pandey said third-party access often has specific regulations to ensure controls are enforced in a highly monitored way, such as the segregation of duties (SOD) requirements under the Sarbanes-Oxley Act that's supposed to ensure no user is given enough privileges to misuse the system on their own.
“Starting with the principle of least privilege, enterprises should grant third-parties the minimum level of access required to perform the processes required by the business,” said Pandey. “From there, any elevation of access should be managed via exception. Regular reviews of activities and elevation requests would determine if the enterprise would expand or contract entitlements over time.”
