Over 77,000 Uber employee details leaked online
Rideshare company Uber has suffered a data breach after Teqtivity, a software company that provides asset management and tracking services for Uber, was targeted in a cyber attack.
The malicious party responsible for the breach posted confidential company information they claimed to have stolen in the breach to the hacking forum BreachForums under the pseudonym ‘UberLeaks’.
According to the cybersecurity news site BleepingComputer, the leaked information includes “source code, IT resource reports, data destruction reports, Windows domain login names and email addresses, and other corporate information” as well as “email addresses and Windows Active Directory information for over 77,000 Uber employees.” No user information was accessed or shared as a result of the breach.
In a statement to BleepingComputer, an Uber spokesperson said the leaked files are “related to an incident at a third-party vendor” and are “unrelated” to a cybersecurity incident the company suffered in September 2022. The spokesperson said that based on a review of the leaked information on BreachForums, the code is “not owned by Uber”, but confirmed that the company is “continuing to look into this matter”.
This was confirmed by Teqtivity which said in a statement that the information was “compromised due to unauthorized access to [its] systems by a malicious third party”, which “was able to access [the] Teqtivity AWS backup server that contained Teqtivity code and data files related to Teqtivity customers” including Uber.
UberLeaks posted four separate batches of data to Breach Forums, which they claimed contained source code information for MDM platforms linked to Uber. The alleged source code was for the MDM platforms for Uber, Uber Eats as well as third-party provider services, namely IT asset management company Teqtivity and travel, corporate card and expense management platform TripActions.
Uber has since denied that the hackers gained access to the company’s internal systems. Similarly, TripActions told BleepingComputer that “no TripActions data was exposed … nor were TripActions’ customers affected as part of this security incident” as “TripActions does not maintain an MDM”.
In the posts on BreachedForums, UberLeaks alleged that those responsible for the breach belonged to the hacker gang Lapsus$, which orchestrated a hack into Uber’s internal systems in September. Uber has denied this claim.
What is Lapsus$?
Lapsus$ is a malicious hacker group that has been classified as DEV-0537 by Microsoft. The group is known for gaining access to companies by targeting employees with social engineering attacks.
According to Microsoft, Lapsus$ frequently announces[e] their attacks on social media or ads[e] their intention to purchase credentials from employees of target organizations”.
Lapsus$ has been linked to a number of high-profile hacking cases, including one in March 2022 where the group hacked both Okta and Microsoft within a week. In both cases, the company’s internal servers were accessed through the compromise of a single employee’s account.
Earlier Lapsus$ hacks into Uber’s internal systems
On September 15, 2022, a hacker used a compromised Uber EXT account to gain access to the company’s internal systems after an employee’s personal device was infected with malware and their login information was posted on the dark web.
According to the rideshare company, the hacker then “gained access to several other employee accounts that ultimately granted the attacker elevated permissions to a variety of tools, including G-Suite and Slack,” and then “posted a message to a company-wide Slack channel . . .and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal websites”.
The hack was linked to the Lapsus$ hacking group by Uber, as the group “typically uses similar techniques to target technology companies” and suggested that the group was responsible for a hack into video game company Rockstar Games that occurred just days later on September 19.
Former Uber CSO found guilty of covering up data breach
Uber was previously criticized for covering up a data breach that occurred in November 2016 that exposed the data of 57 million employees and users.
The data exposed included full names, email addresses, phone and driver’s license numbers for both customers and drivers. It was opened after hackers used stolen credentials to obtain an access key from a source code repository. This then allowed the malicious actors to gain access to the personal data.
The company admitted to covering up the breach in July 2022 as part of a non-prosecution agreement with the US Department of Justice and Uber paid US$148,000 to settle a civil lawsuit.
In addition, former Cyber Security Officer (CSO) of Uber, Joe Sullivan, was convicted on October 5, 2022 of obstructing the proceedings of the Federal Trade Commission (FTC) and felony false imprisonment in connection with the attempt to cover up the hack.
Sullivan was charged after failing to notify the FTC of the data breach while Uber was under investigation by the commission in relation to a breach in November 2014. The breach saw the details of 50,000 customers leaked online.
Sullivan was notified of the existence of the data breach on November 14, 2016, after being directly contacted by the hackers responsible. After contacting the hackers, Sullivan attempted to pay them $100,000 to sign a nondisclosure agreement that, according to the DOJ, “contained the false representation that the hackers did not take or store any data,” and eventually paid them the sum in Bitcoin in December 2016, despite not knowing their true identity.
In January 2017, Uber discovered their identity and the hackers signed a new version of the original non-disclosure agreement containing their true names. Both hackers were indicted and pleaded guilty in October 2019 to charges of computer fraud conspiracy.
Evidence showed that Sullivan did not disclose any information about the cybersecurity incident to Uber’s lawyers handling the investigation, nor to Uber’s general counsel. The first investigation was settled in the summer of 2016, without Sullivan mentioning the breach.
In 2017, Uber began investigating the 2016 breach and disclosed it to both the FTC and the public. During the investigation, Sullivan falsely told the new CEO of Uber, Dara Khosrowshahi, that the hackers were only paid after their identities were revealed. He also deleted information from a draft report on the breach that involved the exposure of a large amount of personal information about many Uber customers.
At the 2022 trial, the jury found Sullivan guilty of obstruction of justice and felony false imprisonment. He faces a maximum of five years in prison for obstruction and a maximum of three years for false imprisonment. He remains free on bond and will be sentenced at a later date, yet to be determined.