Uber Users: What You Need to Know about Last Month’s Data Breach
MET cybercrime expert on how hacker likely gained access to company data and systems
Educating employees is crucial to prevent hacks, BU cybersecurity expert says. File photo by Jeff Chiu/AP Photo
Uber Users: What You Need to Know about Last Month’s Data Breach
MET cybercrime expert on how hacker likely gained access to company data and systems
Last month, the internal databases of American multinational ride-share company Uber were hacked. The unnamed 18-year-old who claimed responsibility for the hack said Uber’s ineffective security measures made the breach possible. The hacker, who was eventually arrested and is in police custody, is said to have gained access to Uber’s secure data through “social engineering,” which means manipulating or deceiving someone, often with email or phone calls, to gain access to personal or financial information. These manipulation methods are becoming commonplace in the world of cybercrime. By posing as a corporate information technology worker, the hacker claimed to have convinced an Uber contractor to reveal the password to Uber’s systems. Uber says it is also possible the hacker bought the corporate password on the dark web.
According to Uber, having obtained the contractor’s password, the hacker sent repeated log-in requests to the contractor’s account and was then able to bypass Uber’s two-factor log-in authentication—a system where a user is granted access after electronically confirming their identity twice—when the contractor finally accepted the authentication. The hacker was also admitted to the Uber Slack account and posted a message that read: “I announce I am a hacker and Uber has suffered a data breach.”
A security update from Uber says they believe the cybercrime group Lapsus$ is responsible for the attack. “We’re working with several leading digital forensics firms as part of the investigation,” Uber writes. “We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks.”
BU Today spoke with Kyung-shick Choi (MET’02), a Metropolitan College professor of the practice and director of its Cybercrime Investigation & Cybersecurity programs, about the implications of the hack and how companies and users can protect themselves.
This interview has been edited for length and clarity.
Q&A
with Kyung-shick Choi
BU Today: Can you briefly describe the scope of Uber’s security breach?
Choi: Uber’s security breach is quite an interesting case, because unlike other major breaches, I wonder if the hacker attained what they really wanted to attain. I was expecting some sort of ransomware attack so they could seek financial gain. But this time, it looks like they didn’t really get much. Of course, maybe Uber’s cybersecurity quickly responded to the incident, but they clearly stated they hacked right on the Slack. And so to me, that’s much more what the motivation could be.
They already identified the potential suspect, Lapsus$. It’s a Brazilian hacker group—I presume a group of teenagers. We call them “cyber punks.” They have been really active recently and are gaining fame. I think maybe that’s why they were aiming at such a huge company.
BU Today: Can you talk about their methods, how they possibly gained access?
Choi: According to Uber, the hacker group purchased the log-in password from the dark web. It’s very common that hackers are trading, selling, and buying older password and log-in names. So consider, if they are cyber punks and not extremely skillful, just getting the credential through the dark web is the easiest way to commit crime, rather than a complicated hacking process. So maybe that’s what’s happening in this case.
Now, Uber has a two-factor authentication system, and so that’s double protection. With two-factor authentication, you get that notification and you have to press the buttons. So maybe [an Uber worker] thought, okay, I did it, and so they approve. So that’s one way, and that’s pure luck to be honest, if [the hackers] did it that way.
Another way, if they’re really dedicated hackers, [is to] get deeper into the system. And then they [would] escalate the privilege and change the information to switch the contact to their own. It has to be a burner phone so that you can get your own authentication using the burner. That’s what pretty skillful hackers do, but it looks like the [Uber hackers were] not at that level. That’s my assumption. But normally cyber punks try and try and try, and can kind of luckily get in.
BU Today: What are the potential ramifications for users and their data as a result of the hack?
Choi: Personal data is so important. Every single person’s data can be weaponized and used against them. Your data can be used for criminal purposes, for account takeover, or financial gain. And then, of course, [hackers] can sell the information. And that’s why privacy is so important, in that we really have to protect ourselves.
I can expand it to sexual crime. And so if hackers find out the date of birth, location, and all of that, they can stalk people and then even commit sextortion. I’ve seen those cases a lot.
People think, oh, this is just one hack. But it’s not just one hack. The damage could be substantial to individuals, families, and the community at large. That’s why we have to be really cautious.
BU Today: What data is believed to be compromised by the attack?
Hackers downloaded the financial information from Slack. The financial information could be anything. It could be invoices or employment information. So, I think [Uber and the authorities] are currently investigating that and what types of information were compromised. According to them, nonsensitive data was exposed, but we don’t know until we really see what happened. Credit card information is encrypted and so that information is safe, and other travel information is secure.
I think right after the incident [Uber] reported it to law enforcement and now the FBI is involved. I think [Uber] did the right thing, so once the FBI gets involved and they do a very extensive investigation, we will receive much more accurate information.
BU Today: Do you think Uber handled the situation well?
I didn’t see the evidence. If I investigated it, then maybe I could see the log file and when they really got hacked. In most hacking incidents, especially on a big scale, the corporations don’t report the victimization right away. I hope Uber reported it right away. At least the suspect and the hacking group left a message, but we don’t know when they really started. And so maybe they spent extensive time, maybe a month of time, until they got to that stage.
Commonly, major cases are similar in that way because [hacked companies] don’t want to ruin their reputation from the corporate side. They don’t want to give bad images to the public. Who’s going to use Uber if they constantly get hacked?
In this case, [Uber] saw the sign of the hack and they reported it to law enforcement. I think that’s the right way to do it. And that’s why maybe the damages, according to Uber, are minimal. Although, we don’t know yet.
BU Today: Are other rideshare apps vulnerable to similar attacks?
Of course. Because of the tendency of hackers, if they are professional hackers, they will never attack headquarters, because headquarters have a lot of security built right there. All the major hacks, if you really examine them, are not really happening by directly hacking into the main server. [Hackers] are always finding the small vendors. The size of the company could be very small. That’s a vulnerability right there. That’s also how you handle digital information, and that’s very important.
But definitely Lyft and all the others should be careful. So that means they need to educate their employees.
BU Today: What steps should Uber and other rideshare apps take to prevent similar attacks in the future?
I have my own theory and my theory has become dominant in computer crime victimization. It’s called “cyber-routine activities theory.” Very simple. There are two factors that contribute to computer crime victimization. So either online behavior, that means a human error, and/or there’s a security issue. Business emails getting compromised is always the number one computer crime victimization throughout the history of the internet or email.
Then another factor is cybersecurity. What if you don’t have basic protection? What if you don’t have the internal security management? Meaning, do you have a strong policy in place in your company? If something happens, incident response is so important. If you don’t have an incident response policy…they have everything. You just have to wait for law enforcement and watch the hackers stealing every single thing. You cannot do anything because you don’t know what to do.
Also important is educating employees. It’s critical.
Many [hacking] cases, I would say close to 50 percent, come from an insider. So that’s why you have to maintain all the security credentials, especially when [employees] leave the company. Revenge is a huge factor. [If] they’re not just leaving nicely…[if] they’re doing something with it, maybe selling the information, or sharing all the credentials, or selling it to the dark web.
BU Today: It’s believed the hacker potentially gained access to Uber’s internal systems through a psychological manipulation tactic referred to as social engineering. How can Uber and other companies better prepare and train their employees to identify these persuasive techniques?
The effective training has to be hands-on training. So statistically speaking, hands-on training really boosts your long-term memory. This type of training is essential so that you feel it when you click it and see what happens. Our programs at MET are designed to train our future law enforcement in cybercrime investigation and cybersecurity. We’re creating a scenario. So we have a suspect and a victim. Students really feel it. They are investigating the case and see how [the hacker] sends a phishing email and they really observe.
Also, technology quickly evolves, almost everyday. And then our online behavior quickly adapts. The companies should think about that and the changing technology. Companies should really know their employee populations and the characteristics for using social media, for example.
BU Today: How can users protect themselves and their personal data when using rideshare apps?
Anytime you hear an incident has happened, the first thing you have to do is change your passwords. If you see anything happen, like a hacking incident from the company side, I highly recommend changing passwords so [hackers] cannot do anything further.
And so of course, never use the password you have used before. If I were an Uber customer, I would have a very strong password. And be careful when you download apps, by making sure you are downloading genuine apps, because there are lots of replicated ones.
Comments & Discussion
Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.