More Uber data exposed in possible supply chain attack

A second incident affecting ride-sharing app Uber appears to have originated through a third party in a supply chain attack

A new data breach of Uber employee email addresses, internal documents and information relating to its IT estate – specifically its mobile device management (MDM) platform – may have originated via a third-party incident at asset management company Teqtivity, according to reports.

A user with the handle “UberLeaks” began to share the data dump on an underground hacking forum on Saturday 10 December, according to Bleeping Computer. The leak is believed to affect almost 80,000 employees of the company

In a series of posts, the leaker made a number of references to the Lapsus$ cyber crime group, which was behind a string of high-profile attacks at the beginning of 2022, and is thought to be behind the September attack on Uber. No firmer connection has been proved at this time.

Bleeping Computer also reported that it had been thought the new data dump did relate to the September incident, but Uber had said the files came from the attack on Teqtivity and were unrelated to the previous attack.

Following this, in a breach notification on Monday 12 December, Teqtivity said: “We are aware of customer data that was compromised due to unauthorised access to our systems by a malicious third party. The third party was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers.

“Our investigation is ongoing, however we have notified affected customers of the incident and have taken steps to ensure the situation is contained and have prevented this type of event from happening again.”

The firm has retained an external cyber forensics firm to investigate its logs and server configuration. It has also notified law enforcement and is conducting penetration testing of its environment.

Teqtivity said the data it knows to have been affected comprises device information such as serial numbers, makes and models, and technical specifications, plus user information including first and last names, work email addresses and work location details.

It said it does not collect or retain any personal data, such as home addresses, banking information or government ID numbers.

“We sincerely apologise for any inconvenience this may cause and very much regret this situation has occurred,” said the firm. “Your confidence in our ability to safeguard your company data and your peace of mind are very important to us.”

Read more about Uber

Teqtivity did not disclose how many customers besides Uber had been impacted by the incident, or any further details about the attack, although the wording of its statement points to the possibility of ransomware.

Ian McShane, vice-president of strategy at Arctic Wolf, commented: “In recent years, we’ve seen that companies are becoming more at risk of being either the ‘target’ or the ‘transport’ that allows other organisations to be hacked. With this data breach, perhaps this kind of supply chain attack becomes the Venn diagram where supply chain attacks meet targeted attacks.

“If this is truly a third-party MDM breach, and wasn’t just off the back of some credentials/data stolen during the prior Uber incident, one assumes that there are other companies about to find out that their data was leaked through no fault of their own. I wouldn’t be surprised if we saw more incidents like this as we approach the New Year.”

McShane added that such incidents should remind security teams that they need to have visibility of their organisations’ suppliers, and try to minimise overlap and reduce risk by keeping an eye on what technology suppliers they work with in their environments.

“Vendor risk assessment is a critical aspect of any organisation’s security operations and this must be a priority for 2023,” he said.

ImmuniWeb chief architect and CEO Ilia Kolochenko said that given Uber’s likely investments into security since a 2016 data breach – which recently resulted in the criminal conviction of its ex-security officer Joe Sullivan – vulnerable third parties were likely to prove to be the “weakest link” for the firm.

“Despite all the efforts, controlling your external vendors is an arduous and costly task which is often underfunded and underprioritised compared to other security processes,” said Kolochenko. “Unsurprisingly, pragmatic cyber criminals hit the most vulnerable party to extract valuable data from Uber, which can now be exploited to further sophisticated attacks.”

If reports of the nature of the data prove accurate, Uber will now be at risk of attempts to gain access to its mobile architecture, said Kolochenko, while its employees may find themselves targeted in advanced spear-phishing or password-spraying attacks. From a legal perspective, the incident may also spell trouble for Uber, he added.

Read more on Data breach incident management and recovery

Data Center
Data Management