IOTW: Over 77,000 Uber employee details leaked in data breach

Rideshare company Uber has suffered a data breach after Teqtivity, a software company which provides asset management and tracking service for Uber, was targeted in a cyber attack.  

The malicious party responsible for the breach posted confidential company information they claimed to have stolen in the breach to hacking forum BreachForums under the pseudonym ‘UberLeaks’.

According to cyber security news site BleepingComputer, the leaked information includes “source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses and other corporate information” as well as the “email addresses and Windows Active Directory information for over 77,000 Uber employees”. No user information was accessed or shared as a result of the breach.

In a statement to BleepingComputer, an Uber spokesperson said that the leaked files are “related to an incident at a third-party vendor” and are “unrelated” to a cyber security incident the company suffered in September 2022. The spokesperson said that based on a review of the information leaked on BreachForums, the code is “not owned by Uber”, but affirmed that the company is “continuing to look into this matter”.

This was corroborated by Teqtivity who said in a statement that the information was “compromised due to unauthorized access to [its] systems by a malicious third party”, who “was able to gain access to [the] Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers” including Uber.

UberLeaks posted four separate batches of data to Breach Forums, which they alleged contained source code information for mobile device management (MDM) platforms linked to Uber. The alleged source code was for the MDM platforms for Uber, Uber Eats  as well as its third-party vendor services, namely IT asset management company Teqtivity and travel, corporate card and expense management platform TripActions.  

Uber has since denied that the hackers gained any access to the company’s internal systems. Likewise, TripActions told BleepingComputer that “no TripActions data was exposed...nor were TripActions’ customers impacted as part of this security incident” as “TripActions does not maintain an MDM”.

In the posts on BreachedForums, UberLeaks alleged that those responsible for the breach belonged to hacking gang Lapsus$, who orchestrated a hack into Uber’s internal systems in September. Uber has denied this allegation.

What is Lapsus$?

Lapsus$ is a malicious hacking group that has been classified as DEV-0537 by Microsoft. The group is known for gaining access to companies by targeting employees with social engineering attacks.  

According to Microsoft, Lapsus$ frequently “announc[e] their attacks on social media or advertis[e] their intent to buy credentials from employees of target organizations”.

Lapsus$ have been linked to a number of high-profile hacking cases, including one in March 2022 where the group hacked both Okta and Microsoft within a week. In both cases, companies’ internal servers were accessed through the compromise of a single employee’s account.

Previous Lapsus$ hack into Uber’s internal systems

On September 15, 2022, a hacker used a compromised Uber EXT account to access the company’s internal systems after an employee’s personal device became infected with malware and their login credentials posted to the dark web.

According to the rideshare company, the hacker then “accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack”, then “posted a message to a company-wide Slack channel...and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites”.

The hack was linked to the Lapsus$ hacking group by Uber, as the group “typically uses similar techniques to target technology companies” and suggested that the group were responsible for a hack into video game company Rockstar Games that occurred just days later on September 19.

Former Uber CSO found guilty of covering up data breach

Uber previously came under fire for covering up a data breach that occurred in November 2016 that exposed the data of 57 million employees and users. 
The data exposed included the full names, email addresses, telephone and driver’s license numbers for customers and drivers alike. It was accessed after hackers used stolen credentials to obtain an access key from a source code repository. This then allowed the malicious actors to gain access to the personal information.

The company admitted to covering up the breach in July 2022 as part of a non-prosecution agreement with the US Department of Justice and Uber paid US$148,000 to settle a civil litigation.

Additionally, former cyber security officer (CSO) of Uber, Joe Sullivan was convicted on October 5, 2022, of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony in connection with attempting to cover up the hack.

Sullivan was charged after failing to alert the FTC of the data breach while Uber was under investigation by the commission in relation to a breach in November 2014. The breach saw the details of 50,000 customers leaked online.

Sullivan was alerted to the existence of the data breach on November 14, 2016, after being directly contacted by the hackers responsible. Following contact with the hackers, Sullivan attempted to pay them $100,000 to sign a non-disclosure agreement which, according to the DOJ, “contained the false representation that the hackers did not take or store any data”, and eventually paid them the sum in Bitcoin in December 2016, despite not knowing their true identities.

In January 2017, Uber discovered their identities and the hackers signed a new version of the original non-disclosure agreement which contained their true names. Both hackers were prosecuted and pleaded guilty in October 2019 to charges of computer fraud conspiracy.

Evidence showed that Sullivan did not disclose any information about the cyber security incident to Uber’s lawyers who were handling the investigation, nor to the General Counsel of Uber. The initial investigation was settled in summer of 2016, without Sullivan mentioning the breach.

In 2017, Uber began investigating the 2016 breach and revealed it both to the FTC and the general public. During the investigation, Sullivan falsely told the new CEO of Uber, Dara Khosrowshahi, that the hackers were only paid after their identities were revealed. He also deleted information from a draft of a report on the breach that involved the exposure of a large amount of personal information of many Uber customers.  

At the trial in 2022, the jury found Sullivan guilty of obstruction of justice and misprision of felony. He faces a maximum of five years in prison for obstruction and a maximum of three years for misprision. He remains free on bond and will be sentenced at a later date, yet to be set.