Uber Technologies Inc. is still investigating a third-party breach that saw threat actors leak sensitive employee data online. The breach affected 77,000 Uber employees, and the hacker leaked additional information, such as the source code of Uber Eats, a food delivery service, and the company’s mobile device management platform.

Fortunately, the leaked data did not contain any customer information. According to Carissa Simons, Uber’s spokesperson, the new breach is unrelated to the September incident, where an attacker used social engineering to bypass authentication and gain access to the company’s networks. “We believe these files are related to an incident at a third-party vendor and are unrelated to our security incident in September,” Simons noted.

Data breached through a third-party

Uber disclosed that the hacker in the attack stole the data by breaching Teqtivity, a tracking services and asset management firm. In its breach notification statement, Teqtivity confirmed that a malicious actor gained unauthorized access to an AWS backup server that hosted sensitive data, such as company code and user information. In addition, the AWS server stored information like device data, including technical specifications, model, make, and serial number, and customer information, including last and first names, work location information and work email addresses.

Third-party vendors are often considered weak links in organizational cybersecurity. A SecurityScorecard security researcher, Robert Ames, notes that companies provide third parties with almost the same access privileges as employees. Still, due to their less effective cybersecurity measures, they are prime targets for attackers looking to infiltrate larger enterprises. “Vendors and other third parties are often granted the same access as employees but with fewer security measures, making them a weak link and, therefore, a popular target for threat actors. When hackers access a third party’s systems, they can access whatever data that system stores, even if it belongs to other organizations,” Ames posits.

Lessons drawn from the breach

Ideally, companies can’t trust anyone to protect their critical assets, but most organizations rely on third-party vendors for essential daily services and processes. However, as the new Uber breach has shown, third parties can expose protected information to various security risks. Above all, the Uber data breach underscores that companies cannot rely on third-party security measures to secure vital assets and data, requiring enterprises to be more proactive in performing due diligence on the third parties they partner with.

Furthermore, the recent Uber breach comes a few months after Lapsus$ attackers compromised Uber by acquiring login credentials from Uber’s external contractor and leveraging multi-factor authentication bombing to trick a user into accepting an SMS login request to gain unauthorized access to Uber’s internal networks. While the Lapsus$ attack method differs from the latest breach, it illustrates an increasingly popular trend where attackers target third-party vendors in the supply chain to compromise larger organizations. Recent research revealed that 51% of companies had been breached through a third-party provider. Also, a different study showed that most enterprises consider third-party vendors as material risks when a data breach occurs.

As a result, many organizations have implemented measures for mitigating third-party risks. Arctic Wolf’s vice president of strategy, Ian McShane, has warned that the increasing high-profile breaches and the constantly evolving cyber threat landscape require organizations to understand who their vendors are in the supply chain and monitor the environments continuously to reduce security risks. “In recent years, we’ve seen that companies are becoming more at risk of being either the ‘target’ or the ‘transport’ that allows other organizations to be hacked,” McShane explained. Although it is difficult to determine whether attackers in the Uber breach identified Teqtivity as a possible entry point to Uber’s systems, the high volume of leaked data suggests that companies should not overlook third-party cyber risks.

What does the breach mean for uber

The Uber breach could have been worse, but a large amount of breached employee data implies that the company could suffer long-term consequences. These include spear-phishing and targeted social engineering attacks. The attackers have a database of Uber employees containing their email addresses, names, and work location information. Armed with this data, attackers can target the affected employees with carefully crafted spear-phishing and other sophisticated social engineering attacks to trick them into divulging sensitive company or personal data and login credentials.

Erich Kron, a cybersecurity awareness advocate, believes that the highly-targeted social engineering attacks will make them more difficult to detect and protect against. “Personal information on employees and customers can easily be used in creating more relevant and believable social engineering attacks in the future. People whose information may have been accessed or leaked should be made aware of the potential data misuse, and how it may impact them,” Kron noted. Thus, Uber must prioritize security training and awareness programs to address potential follow-up phishing threats, likely to emerge once hackers perceive weaknesses.

How to protect yourself from similar attacks 

Rather than assessing third-party vendors on a case-by-case basis, forward-thinking organizations implement systems, processes, and frameworks to mitigate third-party risks proactively. Developing and maintaining a third-party risk management framework to determine the implemented risk management controls that vendors have implemented. For example, a risk assessment questionnaire can help understand a third party’s data security practices and approaches to managing risks to enhance the cybersecurity posture.

Also, performing due diligence on prospective third-party vendors by performing cybersecurity audits is essential to managing risks to prevent third-party breaches. For instance, Microsoft’s Supplier Privacy and Assurance Standards stipulate the data privacy and security requirements that suppliers must meet to ensure a robust cybersecurity posture. Besides, some compliance requirements require companies to ensure that third-party data protection practices are the same as those implemented in the organization or higher. In other words, the following practices should form the foundation of best third-party risk management practices:

• Identify the third-party vendors providing various services and update an inventory of their access requirements.
• Define the organization’s cyber risk appetite.
• Determine, classify, and categorize inherent risks
• Establish risk assessment standards, questionnaires, and frameworks.
• Create an all-inclusive assessment schedule.
• Define a schedule for assessing the identified third parties.
• Develop an incident management and response plan for dealing with arising third-party issues