Uber driver info stolen yet again: This time from law firm
Never mind software supply chain attacks, lawyers are the new soft target?
Uber has had more of its internal data stolen from a third party that suffered a security breach. This time, the personal info of the app's drivers was swiped by miscreants from the IT systems of law firm Genova Burns.
In a letter [PDF] to affected drivers, the lawyers said they had looked into the intrusion, and had some bad news: "The investigation determined that information you provided to Uber, including your name and Social Security number and/or Tax Identification number, was among the impacted data."
Uber did not respond to The Register's question about how many of its drivers had their records stolen. A spokesperson instead emailed us this statement:
In March we were notified by outside legal counsel, Genova Burns LLC, that they had suffered a security incident. Impacted information held by Genova Burns included information of certain drivers who had completed trips in New Jersey, including social security number and/or tax identification number. These drivers have been notified that their social security number and/or tax identification number have been potentially impacted and offered complimentary credit monitoring and identity protection services. Genova Burns indicates that they are not aware of any actual or attempted misuse of the information, and confirmed that they are taking additional steps to improve security and better protect against similar incidents in the future.
Genova Burns said in its letter it first became aware of suspicious activity within its IT systems on January 31, and hired a forensic security team to probe what turned out to be a digital break-in.
As a result of that probe, the attorneys alerted law enforcement, changed all system passwords, and promised to take "additional steps to improve security and better help protect against similar incidents in the future."
No word, however, on what those additional steps will involve. Genova Burns declined to answer The Register's specific inquiries about the intrusion.
"We determined that an unauthorized third party gained access to our systems and certain limited files were accessed or exfiltrated between January 23, 2023 and January 31, 2023," the intrusion notice stated, adding the law firm undertook a "comprehensive review" to determine what the crooks stole.
The attorneys added they possessed this personal information as a result of doing legal work for Uber.
- Uber explains how it was pwned this month, points finger at Lapsus$ gang
- Uber staff info leaks after supplier Teqtivity gets pwned
- Former Uber CSO convicted for covering up massive 2016 data theft
- Uber: Hackers stole 57m passengers, drivers' info. We also bribed the thieves $100k to STFU
And, per usual, affected individuals get 12 months of free identity monitoring services to compensate for their stolen data, which could be used for identity theft, or sold on cybercrime forums.
This happened last year after a separate third-party breach. After breaking into the network of software provider and Uber supplier Teqtivity, a cyber criminal calling themselves UberLeaks shared data pertaining to Uber workers on BreachForums.
No Uber customer data was touched in that privacy breach, though information on more than 77,000 Uber and UberEats employees was leaked. Some of the released data also related to third-party vendor services and to mobile device management platforms Uber uses.
The app maker has suffered its share of data-theft fiascos, most notably the 2016 intrusion in which crooks stole 57 million customer and driver records. Uber famously tried to cover up that heist by passing off a ransom payment, made to the thieves to recover the data, as a bug bounty award. Firings and lawsuits ensued.
More recently, in September 2022, a teenager affiliated with the Lapsus$ gang accessed Uber's internal systems, including the corporation's G Suite account, and downloaded internal Slack messages and a tool used by its finance department to manage "some" invoices.
The intruder said they broke into Uber for fun, might release some of its source code, and described the company's security as "awful." ®