Uber Technologies has suffered a cybersecurity incident that has impacted internal communications and engineering systems, the company confirmed.
According to The New York Times, the person claiming responsibility for the attack sent images, cloud storage and code repositories to cybersecurity researchers and The New York Times.
The company said it was investigating the breach and was in contact with law enforcement officials to help determine the extent of the hack. Two employees who were not authorized to speak publicly said all Uber employees were instructed not to use Slack, the company’s internal messaging service, and two other internal systems were inaccessible, The New York Times reports.
In an internal email, seen by The New York Times, Latha Maripuri, Uber’s chief information security officer, told employees that the hack was under investigation. “We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” Maripuri said.
All employees received a message that said, “I announce I am a hacker and Uber has suffered a data breach,” which listed a number of internal databases that the attacker claimed had been compromised. The message that announced the breach also stated that “Uber drivers should receive higher pay,” according to The New York Times.
The New York Times reports that the attacker used social engineering to gain access to Uber’s systems. The attacker, who says he is 18 years old, claimed to be a corporate information technology person and convinced an Uber employee to hand over their password. In addition, the attacker claims he broke into Uber’s systems because the company had inadequate security.
“Social engineering is becoming a more popular tactic for cybercriminals as it really provides the keys to the castle,” says Darren Williams, CEO and Founder of BlackFog. “Once in, the focus is always going to be data exfiltration, ultimately leading to extortion, data breaches and class action lawsuits.”
There’s a reason cybersecurity experts say that the human is often the weakest link when it comes to cybersecurity, says Ray Kelly, Fellow at Synopsys Software Integrity Group. “While companies can spend significant budget on security hardware and tools, in depth training and testing of employees does not get the focus it should. Whether it be phishing/SMS attacks or a simple phone call to get an employee to give up their credentials, social engineering is going to be the easiest route for a malicious actor.”
When it comes to cyber defense in the modern age, protecting the perimeter alone simply isn’t going to cut it, Williams says. “Organizations must make the assumption that the bad guys are going to find their way in, so the focus must be on preventing them from leaving with the crown jewels — the data. IT leaders need to stay at least one step ahead of the bad guys,” Williams explains.