Latest Uber Data Breach Proves Uber Security is Still Not Up to Speed

Uber Technologies, Inc., founded in 2009, is an American mobility service provider that enables users to book a car and driver to transport them to a specified destination. A public company, Uber is based in San Francisco with operations in more than 70 countries and 10,500 cities. The company also operates Uber Eats, a food ordering and delivery service launched in 2014, and Uber Freight, which connects truck drivers with shippers who need freight transported, in 2017.

Like most large businesses today, Uber Technologies has been hacked. Unlike most, the company has been hacked three times in nine years, an average of once every three years. And the scope of the Uber data breaches is eye-catching.

• The recent hack of September 2022 is under investigation and it’s too early to know the full extent of this data breach.
• A hack in 2016 compromised the personally identifiable information (PII) of some 57 million Uber customers and drivers, including 600,000 drivers’ licenses. To date, Uber has settled multiple claims for $148 million with the 50 states, and several class action suits are pending along with a settlement with the Department of Justice.
• The hack of 2014 compromised the data of more than 100,000 Uber drivers, in some cases including PII, which can lead to identity theft.

Whether or not some or all of the breached data appears for sale on the dark web, Uber drivers and their customers have paid a high price. And one can’t help but wonder when the next Uber data breach will occur, since Uber’s cybersecurity does not appear to have been brought up to speed yet, despite orders from the Federal Trade Commission to improve security.

Let’s look briefly at the three cybersecurity incidents at Uber.

2022 Data Breach

Uber’s Announcement. On September 15, 2022, Uber posted a quick note on its website announcing a new Uber data breach and that it was working with law enforcement. An Uber update the next day soft-peddled the incident, stating that there appeared to be no access to sensitive user data, all Uber services were operational, and internal software tools taken down the day before were being brought back up.

Immediate Aftermath. On September 15 and 16, online sources reported that the hacker boasted of how he had social-engineered an Uber employee and then posted screenshots of internal Uber system pages, proving his unauthorized access. Speculation was rampant, fueled in part by the alleged hacker, who claimed to be 18 years old and targeted Uber due to their poor security, according to a New York Times article.

Uber Update. On September 19, an update on Uber’s website told a slightly different story, with no reference to social engineering. According to this update, an Uber contractor’s account was compromised by a hacker who may have “purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials.” After repeated attempts, the hacker was able to gain access and ultimately obtain “elevated permissions to a number of tools, including G-Suite and Slack.”

Evidence Found. The September 19 Uber post also asserts they found no evidence of the hacker accessing public-facing systems that power Uber apps; the Uber codebase; user accounts; databases storing sensitive user information; or customer or user data stored by Uber’s cloud providers including Amazon Web Services (AWS). Evidently, however, the hacker was able to download information from an internal invoice management system, which Uber is investigating.

Who’s to Blame. The cybercriminals, according to Uber, are affiliated with a hacking group called Lapsus$, whose activities have accelerated in the past year. “This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others,” says the Uber update.

2016 Data Breach

The stunning Uber data breach of 2016 compromised the PII of some 57 million Uber customers and drivers, including roughly 600,000 drivers’ licenses.

Covering Up the Breach. In addition to its massive scope, this hack became notorious for a prolonged cover-up by Uber’s chief security officer at the time. Joseph Sullivan, the CSO, was charged with covering up the data breach, paying the hackers $100,000 in bitcoin in exchange for their agreement not to publicly disclose the incident. He was fired when Uber executives finally learned of his attempted cover-up and hush-money arrangements.

$148 Million Settlement. Two years later, in September 2018, Uber Technologies settled claims that it had been too slow to reveal the data breach, principally due to the CSO’s cover-up. The settlement of claims filed by all 50 states and the District of Columbia cost Uber $148 million.

Hackers Plead Guilty. Two of the hackers responsible for the 2016 incident were prosecuted in the Northern District of California (Uber is based in San Francisco), and both pleaded guilty to computer fraud conspiracy charges in October 2019. The Department of Justice criminal complaint also suggested that the two had targeted and successfully hacked other companies’ user data after Sullivan failed to report Uber’s data breach to law enforcement.  

Uber CSO Charged. In August 2020, nearly four years after the 2016 data breach, Sullivan was charged with obstruction of justice and failure to report a felony, along with additional charges. Two years later, in August 2022, the additional charges were dropped but Sullivan continues to face the original charges, with trial date to be announced. According to a Reuters article, Sullivan is probably the first corporate information security officer to be criminally charged with concealing a data breach.

2014 Data Breach

Uber was also attacked in 2014, when hackers accessed the names and drivers’ license data for more than 100,000 Uber drivers. After completing its inquiry, in 2017 the Federal Trade Commission ordered Uber to improve numerous elements of its cybersecurity in order to reduce their vulnerability to data breaches.

Among the findings in the FTC’s complaint, Uber under-estimated the number of affected drivers at 50,000, when the total turned out to be more than 100,000.

How It Happened. According to the FTC complaint, the 2014 Uber data breach occurred when a hacker found driver data in plain text (unencrypted) in an Amazon Web Services store. An Uber engineer had publicly posted an access key to a code-sharing website, which "granted full administrative privileges to all data and documents" on the AWS server.

Scope of Impact. The hacker gained access to a file containing Uber drivers’ personally identifiable information, ranging from (1) over 100,000 unencrypted names and driver’s license numbers, (2) some 215 unencrypted names along with bank account numbers and bank routing numbers, and (3) the unencrypted names and social security numbers of 84 drivers. In some cases, the compromised data included physical addresses, email addresses, cellphone numbers, device IDs, and trip locations as well.

Summary

Uber Technologies was founded in 2009 in San Francisco. The company has suffered three data breaches in the past nine years, with no discernable pattern. At a minimum, the personally identifiable information of 57 million Uber customers and drivers has been leaked, exposed, accessed, compromised.

When the second Uber data breach occurred, in 2016, an Uber security executive managed to cover up the incident for a prolonged period. Once discovered, he was fired and is still facing charges of obstructing justice and failing to disclose a data breach. This is thought to be the first time a company’s chief security officer has been so charged.

Uber seems to have learned a lesson from the 2016 incident, because they were quick to report the 2022 data breach and engage law enforcement. However, the state of Uber’s cybersecurity does not appear to have improved, spurring speculation about the next data breach. It would seem Uber is too tempting a target to be ignored.