Incident & Breach Response , Security Operations , Vendor Risk Management
Uber Says Third Party Responsible for Latest Breach
Ride-Hailing App Points to Breach at Teqtivity, Says Lapsus$ Incident Not InvolvedUber says internal data apparently available for download on a hacking forum is the result of a data breach at a third-party provider and not a consequence of its September security incident at the hands of teenage extortion gang Lapsus$.
An actor going by the handle "UberLeak" on Saturday posted online a number of files available for free download purporting to originate from inside the ride-hailing company. Bleeping Computer and Restore Privacy each reported the news.
Although UberLeak references Lapsus$, the files "are unrelated to our security incident in September," an Uber spokesperson told Information Security Media Group.
The spokesperson pointed to a breach notification statement from Teqtivity, a firm that develops software for managing and tracking IT assets such as smartphones and computers.
Teqtivity acknowledges that a malicious third party gained unauthorized access to its systems, stating the threat actor "was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers."
The exposed data includes device information such as make, model and serial number, as well as user information including names and work email addresses. The company says it does not collect personal information such as home address or financial data.
Security experts who examined the data posted to the hacking forum told Bleeping Computer it contains source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses. The public posting of work email addresses places Uber employees at increased risk of phishing.
Uber's security came under renewed scrutiny after a Lapsus$ member used social engineering to get inside the Uber network. A self-proclaimed 18-year-old spammed the company's Slack channel with vulgar messages, reconfigured the company's DNS settings to redirect intranet websites to a picture of a penis and shared online screenshots of the company's cloud storage and code repositories.
Customer-facing operations "were minimally impacted and are now back to normal," the company said at the time (see: Uber Says Lapsus$ Hacker Breached Its Internal Systems).
Uber is just slightly more than four years into a two-decade-long period of oversight by the Federal Trade Commission during which it could be subject to civil penalties should it fail to notify the agency of incidents involving unauthorized access to consumer information. A jury recently convicted former Uber CISO Joe Sullivan of misleading federal investigations about a 2016 data breach affecting tens of millions of Uber account holders (see: Jury Finds Former Uber CSO Joe Sullivan Guilty of Cover-Up).