In September 2022, an 18-year-old hacker leveraged sophisticated social engineering techniques to smash into Uber's network. Once inside, the hacker rummaged through a file share and found privileged credentials that gave access to enormous swathes of Uber's source code and corporate cloud platforms.
Luckily, no trip data was taken, according to Uber. But trusting luck is a terrible strategy for cybersecurity.
According to an official statement by Uber, the breach was carried out when a hacker obtained the password of an Uber contractor. The ride-hailing company said that the malicious actor might have purchased these credentials through the black market.
Uber was using Multi-Factor Authentication or MFA, a two-step procedure to validate any attempted login through a user's device, such as SMS or a notification in an app. Although having MFA does make access more secure, the Uber hacker demonstrated that even MFA can be beaten through social engineering.
The hacker revealed that he bombarded the contractor with repeated MFA notifications "for over an hour" and finally sent a WhatsApp message to the employee stating that the hacker was from "Uber IT" and that the employee should approve the login. The employee did.
Experts say this is called "MFA Fatigue," where users receive so many notifications that they eventually accept one. Hackers have started leveraging this effect, sometimes sending a torrent of notifications in the middle of the night to weaken employees' resolve.
Once the Uber employee authorized the login, the hacker gained access to Uber's Slack system and posted a message saying, “I announce I am a hacker and Uber has suffered a data breach." The individual found privileged credentials on a file share and so was able to further gain access to "everything." According to TechCrunch, this included production systems, Uber's Amazon Web Services (AWS) account, its Google Cloud Platform (GCP), and even Uber's endpoint detection and response (EDR) portal.
This attack forms an excellent case study for any company wanting to improve its security posture.
Let's dig into the Uber hack and see what we can learn from it.
Despite Uber's many resources, it was still successfully breached, and not for the first time. The takeaway is that any company can be hacked regardless of its security technology, people, and budget. This is vital to understand to build a resilient security strategy.
Even giants like Samsung and Ubisoft have been attacked. In their case, by the same group the Uber hacker was purportedly from. Additionally, leaked databases from Facebook and LinkedIn – with user data in them, including phone numbers – were found in the wild in 2021, totaling over a billion records.
The lesson? Hacks happen.
Now imagine the risk to a company that doesn't have the security resources of the big boys to mitigate the effects of an intrusion.
What we learned: Even when companies have multiple controls in place, including MFA, attacks can still happen.
That's why taking both a preventive and proactive approach to any potential situation is so vital. Because attackers get smarter, companies should never be complacent about their security systems; they must constantly monitor for potential flaws or break-ins. In Uber's case, this could have included ensuring that privileged credentials weren't stored in a file share.
Although Uber had MFA in place, it still couldn't escape one crucial element: Human Error.
The 2022 Verizon Data Breach Incident Report reveals that 82% of all data breaches are driven by the human element. This can happen through phishing, misuse, or just plain errors. "People continue to play a very large role in incidents and breaches alike," the report says.
In 2019, a Business Email Compromise (BEC) scam tricked a Toyota subsidiary’s finance department, resulting in a payment of $37 million to a fictitious business partner. The reason for the attack? Human error. And in July, one billion records containing personal data were stolen from a police database in China due to human error.
What we learned: Human errors happen.
Even if companies have standing security measures, they should always prepare for the worst and put mitigation controls in place. Although Uber had MFA operating, the hacker was still able to penetrate their system due to human error.
The Uber hack was carried out entirely through social engineering. The Verizon data breach report mentioned earlier defines social engineering as "A psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality."
No malware or advanced technology of any kind was used in the Uber attack. So traditional security tools such as antiviruses, spam filters, and a firewall would not have helped in this scenario.
The hacker simply "walked in through the front door."
Companies, therefore, cannot rely solely on malware protection or other prevention-focused technologies and believe they are secure. There are many different attack vectors. Ensuring employees are well-trained on security procedures (such as knowing about MFA Fatigue and how hackers can leverage it) should be part of any comprehensive protection.
What we learned: Cybersecurity is more than preventing attacks.
It is also about responding to those attacks based on detecting suspicious user behavior patterns. Any cybersecurity solution should be comprehensive, and this includes employee training. Knowledge of MFA Fatigue or monitoring of such anomalies by Uber could have helped prevent the Uber hack.
Uber's attack could have been much worse. Although no trip data was stolen, it is possible that some known weaknesses in its code were obtained, resulting in urgent patching requirements.
But, what was far worse for Uber, was the bad press this attack generated. The media is not kind to companies that suffer a breach, and Uber was smacked with the typical frenzy of negative news headlines that inevitably appear in the wake of a data breach.
This also wasn't Uber's first breach. The company was hacked in 2016 and, adding salt to the wound, failed to disclose the hack for a year. Its new CEO admitted to TechCrunch that the company failed in its duty to disclose the attack.
Bad publicity is an oft-ignored risk. It's hard to repair customer trust, especially for newer or smaller companies. According to a survey by Deloitte, when breached companies were asked what they considered the greatest impact of reputational damage, they reported that revenue (41%) and brand value loss (also 41%) were the highest. The third-highest impact came from regulatory investigations.
What we learned: Even if a breach is not "serious," the financial losses due to reputational damage can be.
Any incident response plan must include a communications strategy, especially external communications, to minimize reputational damage. Part of Uber's recovery strategy for this hack could have been to emphasize what was "good" about the hack, giving it a spin to minimize negative perceptions. For example, they could have prepared a statement such as this: "No trip data was taken as a result of diligent work by our security team. But hackers are getting smarter. We will learn from this, but are proud of our security team who put effective measures in place so that no major damage could be done."
Recovering from a breach requires a specific action plan called an Incident Response (IR) plan . This is a general overview of the actions that need to be taken to stop an existing attack and then recover from it.
From all appearances, it doesn't seem likely that Uber had a very effective IR plan in place. This is a common failure in many businesses of all sizes. An IR plan is far more than just eliminating the threat. It also needs to cover getting back lost or exposed data, as well as ensuring the right communications go out.
The lack of an IR plan can lead to much higher overall expenses such as legal liability costs, reputational damage costs, direct financial risks, and compliance risks. According to IBM's Cost of a Data Breach Report for 2022, the average data breach cost to companies that had neither an IR team nor an IR plan was $2.66 million more than companies that had both of these in place. Many of these costs are attributable to legal, regulatory, and other post-breach costs and penalties.
What we learned: Having an effective IR plan in place that is well-tested can greatly reduce long-term data breach costs.
The Uber hack is recent. That means we will only know its true cost months down the road as the regulatory wheels start to turn and potential lawsuits begin to rear their heads.
Even large companies can make use of a Managed Security Service Provider (MSSP) but for smaller companies, it is absolutely essential.
Several errors in the Uber hack could have been avoided if they had had an MSSP to monitor for anomalous MFA behaviors. Companies are busy, and the potential for security breaches becomes more of a threat every year as hackers get smarter. An MSSP can take this burden off of a company's shoulders.
Maintaining security across such a large organization as Uber also starts to get expensive when you're doing it all in-house. Plus, who has the time?
Small companies don't have the budget for large-scale security implementations, yet failing to employ these can lead to much higher costs in the face of a data breach. This traditional catch-22 can be handled by the MSSP, which consolidates all security services into a single vendor and can offer comprehensive coverage for a fraction of the cost.
SolCyber is an MSSP that is focused on SMEs, bringing a turnkey cybersecurity solution to the table from detection to IR, and even cyber insurance if necessary.
Uber was hacked through social engineering tactics as well as leveraging something called MFA Fatigue — which means hackers bombard users with Multi-Factor Authentication requests until the user accepts one.
Uber was hacked before in 2016 but did not disclose the hack until much later. Its new CEO recognized that this was a mistake.
The Uber hacker gained access to Uber's Amazon Web Services (AWS) and Google Cloud Platform (GCP) accounts. An official statement by Uber said that no user accounts were compromised.
Uber kept operating during the hack. They temporarily shut down some internal tools which caused minimal impact on customer support services.