Editors’s Note: This Perspectives column was updated to reflect that the incident centered around a breach of Teqtivity, a provider of asset management and tracking services, and one of Uber’s third parties.
The recent third-party breach of Uber data where an attack on its vendor Teqtivity exposed sensitive employee and customer data to the BreachForums hacking forum, was the latest in a string of security incidents Uber's had to face in the last few years.
While they are unfortunate events, there are lessons we can learn from the breach that can help organizations avoid the repercussions of a serious third-party cyberattack. The Teqtivity incident shows that even the largest organizations with advanced security teams have weak links that cybercriminals are ready to exploit, especially the ever-growing impact of third-party risks. The industry needs to stay hyper-vigilant about the access that third-parties have to organizations and their data. Given the expanse of the corporate supply chain, third-parties have become an extension of enterprise attack surfaces and security teams must prepare accordingly or face the same potential fate as Uber. By proactively implementing these four best practices, businesses will have a leg up in shielding themselves from an attack.
Lesson #1: Third-party risks will continue.
As long as we are building software using APIs, we will encounter third-party risks. APIs are an integral part of building applications in the cloud so we will always rely upon them in some way until there’s another fundamental shift in IT architecture. According to 2022 IBM research, almost half of all data breaches happened in the cloud.
The lesson here: we must build applications with a zero-trust strategy at their core so guardrails are in place to protect from third-party risk. Without a zero-trust strategy, organizations are left vulnerable to third-party risks through the way applications are built with connectivity in mind, misconfigurations at the beginning stages of an application build, or an exploitive attack that targets a third-party. The latest security incident involving Uber's third-party data recasts the spotlight on minimizing exposed attack surfaces and vulnerable third-party touchpoints.
Lesson #2: CPRA and CCPA regulations force stricter accountability.
Jan. 1, 2023, marked the first day of enforcement of the California Privacy Rights Act (CPRA), an extension of the existing California Consumer Privacy Act (CCPA). With many employees located in California, Uber might land in the hot seat if found in violation of the new statute. In fact, the law specifies that all data owners residing in California are entitled to the rights of the CPRA, regardless of where company headquarters are located. Under these regulations, organizations must prove how they are connected to third-parties and the kind of data they are letting them store. Controlling data within large organizations is already tricky. For organizations in the cloud, it’s even trickier. IT and security teams looking to maintain compliance need to figure out who has access to what data, including which cloud components have access to data. These teams must ensure they implement a least-privileged model, only granting privileges to the users and devices that absolutely need them.
Lesson #3: Cybercriminal forums are fanning the flames and security teams must take note.
The Teqtivity breach underscores the massive cybercriminal element that propels many breach events today. The Uber data compromised through the third-party was published on the BreachForums cybercriminal forum, which currently has over 238,000 members. Notorious cybercriminal forums such as this one enable threat actors to quickly spread sensitive data to thousands and millions of people online. Organizations need to consider the downstream ramifications that come with data breaches beyond what the industry considers the total cost of a breach. We have seen how quickly a large forum such as RaidForums relaunched as BreachForums when it was shut down last year. The aggressive nature of cybercriminals means that once they steal data, it’s very hard to track and stop the reach of its exposure.
Lesson #4: Zero-trust has become critical.
In this case, although it was Teqtivity's systems that were breached, Uber still bears the responsibility of the potential damage. This further amplifies the importance of a zero-trust approach to Identity and Access Management (IAM). It’s ultimately the company whose data was compromised that holds the consequences. Entities should not have access unless they absolutely need it, including partners and third parties.
Companies must implement an identity-centric security model more widely. In today’s cloud-first era, it’s necessary to have strong IAM practices throughout the IT supply chain which starts with creating a unique identity not only for each individual employee or stakeholder but also for the specific cloud components, such as containers, serverless functions, and data resources. Maintaining a least-privileged state – at scale – is a lesson that many recent breaches have taught us.
The latest incident involving Uber's third-party data reinforces the idea that every organization can assume they are at risk at any given moment. As more and more businesses shift to the cloud, attacks show no sign of slowing down. Increasingly proactive defense, the adoption of zero-trust strategies, and coordinated security efforts among all IT supply chain stakeholders must become part of the cloud-centric enterprise’s playbook or you run the risk of serious business disruption.
Shira Shamban, co-founder and CEO, Solvo