Uber Technologies, Inc. is a mobility service provider based in the United States that allows users to hire a car and a driver to transport them like a taxi. With operations in around 72 countries and 10,500 cities by 2021, it has its headquarters in San Francisco.
A hack has been made into Uber’s computer network. After discovering various internal communications and engineering systems had been infiltrated, the ride-hailing company said that it was investigating.
The hacker gave pictures of email, cloud storage, and code repositories to the newspaper, which is where the New York Times first revealed the incident.
According to the story, which cited two employees, Uber employees were instructed not to use the workplace messaging platform Slack.
The message that said, “I proclaim I am a hacker and Uber has suffered a data breach” was sent to Uber workers just before the Slack system was shut down.
An explicit photo was posted on an internal information website for staff, suggesting that the hacker was later able to access additional internal systems. Regarding the breach, Uber claimed to be in contact with law enforcement.
There is no evidence that the attack has harmed Uber’s user base, car fleet, or payment information.
A California-based bug bounty program called HackerOne receives a membership fee from Uber. Many large companies employ bug bounty programs, in which ethical hackers are paid for finding defects. The Uber hacker talked with Sam Curry, one of the bug bounty hunters. He stated, “It appears like they have compromised several things.”
To limit the hacker’s access, Mr. Curry claimed to have spoken with much Uber personnel who stated that they were “trying to lock down everything inside.”
He stated that there was no evidence that the hacker had caused any harm or was interested in anything other than attention. According to Chris Evans, a chief hacking officer at HackerOne, “We’re in close communication with Uber’s security team, have shut down their data, and will continue to assist with their investigation.“
According to the New York Times, the hacker, who is 18 years old and has been honing his cyber-security abilities for some years, broke into the Uber servers because “their security was lax.“
The individual also said Uber drivers should be paid more in the Slack message that reported the incident. In cyber-security, “people are the weakest link,” and this incident demonstrates that it was an employee who was duped that let the hackers in.
Although the phrase is correct, it is also terribly cruel. The more complete picture that is forming here demonstrates this hacker’s high level of motivation and expertise.
As has just been seen with the Okta, Microsoft, and Twitter hacks, inexperienced hackers with lots of free time and a carefree attitude may influence even the most cautious staff to commit cyber-security crimes. Just ask prominent ex-hacker Kevin Mitnick, who used sweet-talking to get past telephone networks in the 1970s, that this kind of hacking through social engineering is older than computers themselves.
The difference today is that hackers may combine their wits with highly developed, user-friendly tools to make their jobs even simpler.
Uber has had previous security lapses. It received criticism for failing to adequately report a 2016 data breach that affected 57 million users and drivers and for finally paying the hackers $100,000 to cover up the leak. Only in late 2017 did the public learn about it. Federal prosecutors in the U.S. have subsequently accused Joe Sullivan, the organization’s former security officer, of trying to cover up the event.
They claim Sullivan “instructed his team to keep informed of the 2016 hack tightly controlled.” Sullivan has refuted the charges. In addition to the felony obstruction and misprision charges that had already been filed against Sullivan, three more counts of wire fraud were handed down in December 2021. The superseding indictment said that Sullivan “supposedly arranged the delivery of a six-figure payment to two hackers in return for their quiet regarding the breach.”
Additionally, it stated that he “made purposeful measures to prevent anyone whose PII was taken from finding that the attack had happened and took steps to hide, distract, and mislead the U.S. Federal Trade Commission (FTC) about the data breach.”
Additionally, the most recent breach occurred while the criminal trial in Sullivan’s case began in the U.S. District Court in San Francisco.
In comparison to the breach in 2016, the compromise is unquestionably more significant, according to Kevin Reed, a chief information security officer at Acronis. “Hackers most likely already have access to any data Uber retains.”