Uber says compromised third-party to blame for data breach
Vulnerable third-party vendor Teqtivity sparks second major incident for Uber in the space of three months
Ride hailing giant Uber has revealed it is responding to data breach that it says occurred as a result of a compromised third-party vendor.
Over the weekend, a threat actor operating under the name ‘UberLeaks’ posted sensitive information to a popular hacking forum, which they claimed originated from Uber and Uber Eats.
The threat actors claimed that data included source code and IT asset management reports, as well as domain login details, email addresses, and sensitive corporate information, according to a report from BleepingComputer.
The information, which has been analysed by security experts, is believed to include email addresses and information pertaining to more than 77,000 employees.
Initial reports suggest that the incident is not related to a previous breach disclosed by the firm in October.
A spokesperson for Uber told BleepingComputer that the breach is “related to an incident at a third-party vendor and unrelated to our security incident in September.”
“Based on our initial review of the information available, the code is not owned by Uber; however, we are continuing to look into this matter,” the spokesperson added.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Third-party vendor breach
Following a preliminary investigation into the breach, Uber has since confirmed that the incident came as a result of a compromised third-party vendor, Teqtivity.
Teqtivity is one of a number of third-party companies that Uber relies on to support services. The firm helps Uber track, monitor and manage IT assets, including mobile devices and computers.
In a statement, Teqtivity confirmed the breach and said it has launched an investigation into the matter.
“We are aware of customer data that was compromised due to unauthorised access to our systems by a malicious third party,” the company said.
“The third party was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers.”
According to the firm, exposed data includes information pertaining to:
- User information such as work location details, full names and work email addresses
- Device information, including serial numbers, make, models and technical specifications
Teqtivity revealed it is working with a third-party forensics team to investigate the breach. A third-party security team has also been retained to begin penetration testing of the firm’s infrastructure.
"Our investigation is ongoing. However, we have notified affected customers of the incident and have taken steps to ensure the situation is contained and have prevented this type of event from happening again,” the firm added in its statement.
Initial posts by ‘UberLeaks’ claimed that the threat actor(s) had breached Uber’s internal systems. However, the company insists that it is yet to observe any malicious activity on their network.
“The third-party is still investigating but has confirmed that the data we’ve seen came from its systems, and to date we have not seen any malicious access to Uber internal systems,” the firm told BleepingComputer.
Third-party security risks
This incident once again raises questions over third-party vulnerabilities and the potential risks posed to organisations.
In recent years, Marriott, Instagram and DoorDash have experienced data breaches as a result of third-party vendor vulnerabilities.
Enhancing cyber security in an expanding landscape
How secure connections between wireless peripherals can help mitigate cyber incidents and empower employees
A recent study by Cyentia Institute found that nearly one-third (31%) of vendors are considered a “material risk” in the event of a data breach.
This growing issue has prompted organisations to implement measures to mitigate threats across the supply chain, with 79% stating that they now have formal programmes in place to manage third-party risk.
Similarly, nearly two-thirds (60%) said that managing third-party vendor risks has become a key priority for their organisation.
Ian McShane, VP of strategy at Arctic Wolf warned that growing threats and high-profile compromises have highlighted the need for businesses to “understand who their suppliers are” and reduce risk by keeping tabs on vendors operating within their environments.
“In recent years, we’ve seen that companies are becoming more at risk of being either the ‘target’ or the ‘transport’ that allows other organisations to be hacked,” he explained.
“Vendor risk assessment is a critical aspect of any organisation's security operations and this must be a priority for 2023,” McShane added.
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.