Uber admitted falling victim to a data breach Thursday afternoon, which hacked the world’s largest ride-sharing company’s internal network systems. “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.” tweeted the official Uber Comms account on September 16, 2022.
Uber was Hacked, Social Engineering attack suspected
Hackers have targeted many prominent companies in the past couple of months, and it seems that Uber has now joined its ranks. It’s still unclear what type of security incident they had, but it was severe enough to determine Uber’s IT team to take some internal communications and engineering systems offline as a precautionary measure while the full effects of the cyberattack are being investigated.
Uber is yet to comment on whether or not any of its customers’ personal data such as credit card information has been leaked through this breach, but the fact that the company has partially disconnected its infrastructure from the Internet indicates a possible entry point for the attackers.
Security experts often point out that software security is only as secure as its weakest link. When it comes to cybersecurity, there are two equally valuable components to consider: the software component and the human component. Hackers will attack and exploit the weakest link because that is the part most likely to be easily broken. In 2022 vulnerabilities are no longer exploited exclusively through unpatched bugs in installed applications and operating systems (Windows, macOS, Linux, etc.). Social Engineering is the most efficient attack vector for hackers to steal sensitive information. Even though attackers have plenty of options, they prefer exploiting human vulnerability because it does one thing better than any other method: it tricks victims into partaking in their own attack. For example, it is enough for a hacker to compromise a single employee’s VPN access and then use the victim’s login information to break into their company’s internal network. Companies often face this problem, as attackers can’t usually bypass security, so they focus on social engineering and phishing to get the login data.
Most Employees receive no Social Engineering Awareness Training
The majority of employees receive no social engineering awareness training, leaving them vulnerable to phishing and other types of social engineering tactics. Knowledgeable employees, research shows, are the first line of defense for a modern company. A GetApp survey shows that most companies pay no attention to how their employees navigate the maze of social engineering. In fact, the numbers reveal once more, the reasons attackers usually first target people, then the infrastructure. The only sensible solution for companies is to train their employees to recognize the dangers. Hackers’ willingness to go after employees is proportional only to companies’ lack of preparedness. Almost 75% of companies never equip people with minimal training, which means that organizations put themselves at risk. Social engineering can target specific people with spear-fishing techniques or business email compromise (BEC) attacks, which is much easier to achieve with a cyber-unaware task force. The problem is compounded by the fact that 43% of employees don’t receive data security training regularly, and 8% have never received formal training of any kind. Proofpoint’s 2019 Human Factor report shows that attackers exploit human flaws in 99% of attacks by mimicking business routines.
Companies can use employee security training as a shield, but that’s not enough. A critical step is the internal security audit, which can root out hidden issues. For example, a poll conducted across the United States, Australia, France, Germany, and the United Kingdom, found that 59% of people use the same password everywhere. Such a vulnerability would cause havoc in an organization that doesn’t pay attention to what employees use on their systems.
Phishing and other social engineering technics are always used as attack vectors against companies, but that’s possible only when people don’t know how to safeguard against them. Training employees to recognize a phishing attempt is the same as educating kids not to talk to strangers, making prevention a solid first step towards strengthening a company’s cybersecurity posture.
Little is known about this recent cybersecurity incident, except for what the company already communicated, but more details will likely surface as the Uber investigation goes on.