As the dust settles around Uber’s recent data breach, the internet will likely begin to point fingers at those who they deem responsible for the attack, which allegedly occurred through a social engineering scam targeting Uber employees’ credentials.
But playing the blame game — whether it’s directed at specific Uber security controls, employees or even the company itself — is pointless in an industry where time would be better spent learning lessons, applying mitigations, and sharing for awareness rather than spewing ‘shoulda woulda coulda’ criticisms.
The reality is that despite the stature of Uber as a technology giant, virtually every single company is at risk of a breach that originates through a socially crafty attacker, simply because the people that make up the company are susceptible to manipulation. Details are still emerging as Uber and law enforcement investigate, but it appears that an Uber employee received MFA push authentication requests from the attacker, who then posed as an Uber IT employee to goad his target into sending his credentials.
While that exact scenario can be taught in a security awareness course to prevent future incidents from occurring, the nature of social engineering scams means that a determined hacker will simply find another method to confuse an employee. And Uber won’t be the last company to learn this lesson, as big businesses like MailChimp, Okta and Twilio have recently been compromised by social engineering scams.
According to Verizon’s 2022 Data Breach Incident Report, 82% of all breaches in the past year incorporated a human element to make them successful — and attackers are not all relying on tech-illiterate grandparents to grant them access to their targets.
Generally, employees at Uber are as well-trained in security awareness as anybody in the technology industry, thanks to heavy investments in the company’s security posture following a 2017 controversy in which the company was caught concealing a breach involving the records of 57 million users and drivers. But even with an unlimited budget and all the security tools in the world at their disposal, Uber and other businesses can’t protect against a human making a mistake.
As a result, the fact that the company discovered a breach last week has little to do with its internal security controls and more to do with an alarming trend of attackers flexing their ability to intrude into an organization’s environment without any rhyme or reason for doing so. The attacker claiming responsibility for the breach alleges that they are 18 years old and appeared to have no financial or ulterior motive beyond compromising the company other than drawing attention to the ease in which they could gain access.
Uber claims that no sensitive information was accessed during the breach, making it all the more likely that the attacker simply wanted to troll and annoy the ride-hailing and food delivery giant just because he or she found it funny — and initially, other Uber employees did as well.
Whether Uber’s attacker wanted to gain clout or fame from their actions is yet to be determined, but if they are only 18 years old, they may have drawn inspiration from previous youth that made a name for themselves through hacking, like Lulz Security, a group of teenagers who called themselves Lulz Security claimed responsibility for several high profile attacks with no material gain, or like Graham Ivan Clark, the child who hacked Twitter in 2020.
Clark is serving three years in prison right now for hacking the accounts of Jeff Bezos, Barack Obama and more high-profile Twitter accounts, but he also made headlines in the New York Times and became part of hacker lore. In order to build credibility online, where everyone is anonymous by default, it makes sense why a youngster would want to successfully pull off a breach of a huge company — without any real plan once it happens.