A data breach incident sent a shockwave through Uber on the 16th of September when the company's cyberspace was hacked. It stirred up the internet and surprised netizens that a big company like Uber could be compromised, especially because it was by an alleged 18-year-old "newbie" hacker who had been learning cybersecurity and decided to use Uber as a practice ground. While Uber reported that the hacker went on to hack Rockstar Games over the weekend and leaked the GTA 6 video, he was rumored to have hacked Microsoft, Samsung, Nvidia, and Ubisoft in the recent past. Uber believes the attacker is a member of Lapsus$, a notorious group of hackers. How did this hacker break Uber's security walls? He used the common but least expected cyberattack technique– social engineering. After social engineering an Uber employee, he logged into Uber's VPN, scanned their intranet, and went ahead to download the company's HackerOne vulnerability reports and accessed many of their systems. The systems accessed include the company's Slack server, Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard for managing the Uber email accounts. He shared screenshots to establish the breach. The hacker revealed in a chat with Corben Leo, a Cybersecurity Researcher, that - "One of the PowerShell scripts contained the username and password for an admin user in Thycotic (PAM) Using this I was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite." The Technical Implication Having established that an employee was social-engineered before the Uber security crisis, cybersecurity awareness and training have become vital. It goes to show that using sophisticated cybersecurity technologies is not enough because just as Cybersecurity SaaS firms update their strength, hackers equally upgrade their tricks and tactics to asperse these technical muscles. Social engineering tactic works well on people's minds and has recently been used to including Twitter, MailChimp, Robinhood, and Okta. Thus, as it has become apparent that recent breaches across known organizations were through employee weaknesses, training staff and workers should be given serious attention. attack other big companies, The disturbing Data Breach has caused security improvements across tech companies and moved Uber to open jobs for cybersecurity experts. While this step is essential, tech companies are advised to channel more efforts towards cybersecurity awareness for users and employee training. In as much as there was this breach is a big threat and reputation [confidence loss] issue for Uber. no report nor evidence of financial loss or users' confidential and sensitive information disclosure, Can we rightly say that the attacker is an ethical hacker who only intended to disclose the company's cybersecurity weakness? Otherwise, Uber might have been tangled in the web of another when the personal information of about 57 million customers and drivers was stolen. ransomware attack that it faced back in 2016 The advice for training is not to say that devising the expected industry standard of security safeguard is useless; it remains highly appreciated. It will be recalled that the employee's Uber Account was protected with Multi-factor Authentication (MFA), which made it difficult for the attacker to penetrate. The hacker eventually used an MFA Fatigue attack, sending several MFA requests to the employee. Resorting to social engineering, he He deceived him into accepting the push notification to solve the MFA requests that kept coming up. sent a text message to the employee pretending to be Uber IT Support. According to Bleeping Computer, are when a threat actor has access to corporate login credentials but is blocked from access to the account by multi-factor authentication. They then issue repeated MFA requests to the target until the victims become tired of seeing them and finally accept the notification. MFA Fatigue attacks In essence, while a strong security system is crucial for an organization, in the same vein, cybersecurity training for employees is equally vital. The Legal Implication It is no news that an organization risks legal tussle when the privacy of its users is breached. Aside from litigation from customers or investors, there are Regulatory infractions or prosecutions to be faced. provides a fine of up to €10 million or up to 2% of a company's entire global turnover of the preceding financial year, whichever is greater in case of breach of obligations of the monitoring or certification body. Article 83(4) of the EU General Data Protection Regulations (GDPR) Also, in , there is a fine of up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, where the infringement has to do with users' or customers' data. Article 83(5) of the GDPR The case is not different in Nigeria; there is the which under outlines that depending on the violation, a penalty may be up to either: 2019 Nigeria Data Protection Regulations (NDPR), Regulation 2.10 2% of the annual gross revenue of the preceding year or payment of the sum of ₦10 million (approx. €25,000), whichever is greater where the data controller is dealing with more than 10,000 data subjects; or payment of a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of ₦ 2 million (approx. €5,000) whichever is greater where the data controller is dealing with fewer than 10,000 data subjects. In line with the NDPR, the , after probing 17 firms, against two companies in March and August of 2021. Nation Information and Technology Development Agency (NITDA) issued a fine of ₦5 million and ₦10 million Earlier this year, were sanctioned and put under investigation; the former was based on privacy breach reports and the latter after a Ransomware attack. Wema Bank Plc. and Bet9ja The Uber story showed that the company complied with requirements for security safeguards (especially the current industry standard) and mandatory breach reporting. While the company might have escaped regulatory sanctions, it may not have escaped litigation had customers' confidential information been lost or stolen. It is a part of the Risk Management scheme to subscribe to Cyber Security Insurance which covers losses resulting from cybersecurity incidents. However, in the Uber kind of incidents, the insurance policy may not avail them as there are limitations to what cybersecurity insurance policies can cover. Among many, by the Insurance policy. social engineering losses arising from new hardware installation, fresh software upgrades, and third-party errors are generally not covered QUICK TIPS: Understand the legal consideration on what standard of security safeguard is expected of your industry Be abreast of how often you should carry out cybersecurity training Understand the mode and form of announcement in the event of a compromise Understand how timeously you are expected to make the data breach announcement Quickly, the United States (U.S.) does not have a single data protection legislation. Instead, there are a number of these regulations based on Federal and State jurisdictions. In any event, they are all there to protect the data and privacy of the citizens and residents. However, at the federal level, there is the which established the Federal Trade Commission, the which outlines rights and restrictions regarding data held by US government agencies, and the which gives rights to authority to have access to citizens' information. As a result, the position of law varies from State to State in the U.S. FTC Act U.S. Privacy Act U.S. CLOUD Act The Way Forward In the legal parlance, there is a maxim that reads , meaning This section will discuss steps that comply with international best practices concerning cyber security culture. Ubi Jus Ibi Remedium There is no wrong without a remedy. Employee's Training: It can no longer be overemphasized that regular training of employees is crucial. A company can have the most sophisticated security system, but it remains unsafe if its employees lack basic security antics– this can easily be deduced from the Uber incident. A well-trained employee will easily spot cyber threats and understand the need to report threats quickly. As a way of helping employees implement the training and keeping employees on alert, an organization can establish security tasks to be carried out by employees on a weekly or monthly basis. Strong Multi-factor Authentication (MFA): MFA is safer than 2FA, but MFA can be made stronger. Two-Factor Authentication implies after entering your login details; an OTP will be sent to you for a second-time authentication before finally accessing your account. On the other hand, multi-factor authentication means you'll need to authenticate twice or more. For example, you may be required to enter an OTP and later enter biometric information (facial recognition or thumbprints). An MFA requiring three (3) authentication procedures where the other two entries are strictly inherent factors is deemed stronger and safer. (requiring to enter what you know, such as OTP– one-time password or answer to security questions); (what you have, that is hardware token or mobile device) and (what you are, which is biometrics). There are three types of authentication factors: knowledge factor possession factor inherent factor Being At Alert On Social Engineering: Here, vigilance is key. No tech expertise is needed to prevent social engineering; spotting one when it surfaces is the best way to prevent the attack and manipulation. This is so as it's often difficult to free oneself once caught in the spell of a hacker. Deleting unfamiliar links or emails and verifying the personalities of the caller/text sender before taking action, among other safety practices, suffice. Specialized Gadgets for the Job: Employees should not be allowed to use their official gadgets for personal use. This is good for them and the organization. Appointing Required Positions: of the European Union requires the appointment of a data protection officer (DPO), described as a person with expert knowledge of data protection law and practices, to assist the organization in monitoring its internal compliance with the Regulation. This provision is at par with Article 37 of the General Data Protection Regulations (GDPR) Regulation 4.1 of Nigeria's 2019 NDPR. In my view, I think the DPO Office should include two sets of officials: a Data Security Officer who is a cybersecurity officer for the technical and systemic aspects; and a Regulatory Compliance Officer who is a legal officer and expert in data protection laws and practices. These nomenclatures can be internal for administrative convenience or simply listed as DPO 1 and DPO 2. a. Data Security Officers/Chief Information Security Officer: Cybersecurity experts have strongly warned that security officers should desist from encrypting sensitive codes in the scripts. Unfortunately, such an error occurred with the Uber cybersecurity officers, as the hacker made it known that he retrieved an Admin username and password in one of Uber's PowerShell scripts which gave him access to several systems. A DSO/CISO will understand all these weaknesses and prevent future occurrences. b. Regulatory Compliance Officers: As a legal officer, the RCO will advise on the extent of notice, such as content requirements and notice deadline. Thus, the RCO helps the company make a and avoid This includes being careful of the statement to avoid clear admission of fault. An RCO may be in-house and can be an external solicitor or litigation counsel. timeous notification risks associated with making incomplete or inaccurate statements about the facts of the breach. End-User Awareness: In our highly digitalized world, where sophisticated technologies keep rising daily, an organization can be compromised through its customers. Also, a user who is hacked and loses properties may believe it's due to the company's weak security system. Thus, creating cybersecurity awareness and sharing security tips with customers will go a long way. The collective utilization of the above practice will help build a strong security culture for tech organizations. Also published . here Illustration by Alex Castro / The Verge

The writer is smart, but don't just like, take their word for it. #DoYourOwnResearch

Amazon

Google

Microsoft

NVIDIA

Robinhood

Samsung

Slack

Target

The Verge

Twitter

Uber

Protecting Your Gadgets from Hackers: 9 Cybersecurity Best Practices (2024)

Contact me for your cross-sectoral technical writing, legal writing and compliance services.

Too Long; Didn't Read

Download free Tech Leaders Productivity Report!

The Massive Uber Hack: Technical and Legal Implications

The Massive Uber Hack: Technical and Legal Implications

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Protecting Your Gadgets from Hackers: 9 Cybersecurity Best Practices (2024)

(1/100) Crypto Countdown: Golem

A Research Report on the Trader $JOE DeFi Platform

07/03/2018: Biggest Stories in the Cryptosphere

05/02/2018: Biggest Stories in the Cryptosphere

Protecting Your Gadgets from Hackers: 9 Cybersecurity Best Practices (2024)

(1/100) Crypto Countdown: Golem

A Research Report on the Trader $JOE DeFi Platform

07/03/2018: Biggest Stories in the Cryptosphere

05/02/2018: Biggest Stories in the Cryptosphere

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps