Uber staff info leaks after supplier Teqtivity gets pwned
Thankfully no customer info – but the spotlight is back on third-party attacks
Uber, which has suffered a few data thefts in its time, is this week dealing with the fallout from yet another – this time from one of its technology suppliers.
A cyber criminal calling themselves "UberLeaks" over the weekend leaked data pertaining to Uber workers on BreachForums – a site that popped up in April after RaidForums was shut down.
Uber executives said the information dumped online was not from the massive breach in September, but from an attack on Teqtivity – a supplier whose software enables enterprises to keep track of their IT assets, such as phones and computers, and performs work for Uber.
The post on BreachForums implied the high-profile Lapsus$ gang was involved, though there seem to be no other indications of that.
According to a statement from Teqtivity, an attacker gained access to a backup server hosted by Amazon Web Services that stored code and data files related to Teqtivity's customers, including Uber.
No Uber customer data was touched in the security breach, we're told, but information on more than 77,000 Uber and UberEats employees was leaked. Some of the leaked data also related to third-party vendor services and to mobile device management platforms Uber uses.
Teqtivity "does not collect or store, and therefore the data does not include, sensitive personal information like bank account details or government identification numbers (e.g. SSNs, tax numbers), nor do they collect or store consumer, driver or courier information," an Uber spokesperson told The Register.
According to Teqtivity, the data snaffled by the intruder includes device information, such as serial numbers, make, models, and technical specifications, as well as user information such as first and last names, work email addresses, and work locations.
The incident highlights the ongoing threat of third-party attacks. According to a Ponemon Institute report this year, half of more than 1,000 organizations surveyed said they had been the victim of a third-party data breach over the previous 12 months.
"Compromised third parties and suppliers are … a big challenge for security organizations to identify as they often have authorized access to internal systems, even if orphaned or if the company is no longer a supplier," Sanjay Raja, vice president of product marketing and solutions at security analytics firm Gurucul, told The Register.
- Uber fined $14m for lying to get customers to ditch cabs
- Amid losses, Uber driven to become advertising network
- Intruders gain access to user data in LastPass incident
- Rackspace rocked by 'security incident' that has taken out hosted Exchange services
Even though Uber user information wasn't leaked, the effects of the breach could ripple out to them, according to Paul Bischoff, privacy advocate at tech research firm Comparitech.
"Given that the data is now publicly accessible, as opposed to being sold to a single party, anyone could use it to launch targeted phishing attacks against Uber employees," Bischoff said. "These attacks could trick Uber staff into giving up login credentials, leading to further, more consequential attacks. Even if only a handful of employees out of the 77,000 affected were to fall victim to a phishing scam, it could be detrimental to Uber.
Uber is no stranger to data breaches. In 2016, the company discovered that 57 million customer and driver records were stolen – though it wasn't until November 2017 that the company admitted to the incident. Joe Sullivan, Uber's chief security officer at the time, was charged in 2020 with covering up the breach. He was convicted in October of obstruction of justice and concealing a felony from law enforcement. Uber also was fined $148 million in 2018.
Teqtivity said it contacted law enforcement officials and hired a forensic firm to investigate logs and server configurations, and a security team to penetration test the infrastructure.
Several cyber security professionals told The Register that organizations need make vulnerability management and patching of third-party software a priority and implement protection at the file level and then validate that suppliers do the same. In addition, to protect their data, they need to know where it is at all times.
That said, even implementing such measures doesn't guarantee an attacker won't access the data, according to David Maynor, senior director of threat intelligence at security training firm Cybrary.
"Third parties, first parties, and college parties all suffer from the same problem: party crashers," Maynor told The Register. "Party crashers are almost impossible to stop and can ruin everyone's good time. Much like real life, all a victim of malicious party crashers can do is clean up, evaluate their security, and get better training for their personnel." ®