A data breach incident sent a shockwave through Uber on the 16th of September when the company's cyberspace was hacked.
It stirred up the internet and surprised netizens that a big company like Uber could be compromised, especially because it was by an alleged 18-year-old "newbie" hacker who had been learning cybersecurity and decided to use Uber as a practice ground.
While Uber reported that the hacker went on to hack Rockstar Games over the weekend and leaked the GTA 6 video, he was rumored to have hacked Microsoft, Samsung, Nvidia, and Ubisoft in the recent past. Uber believes the attacker is a member of Lapsus$, a notorious group of hackers.
How did this hacker break Uber's security walls? He used the common but least expected cyberattack technique– social engineering.
After social engineering an Uber employee, he logged into Uber's VPN, scanned their intranet, and went ahead to download the company's HackerOne vulnerability reports and accessed many of their systems.
The systems accessed include the company's Slack server, Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard for managing the Uber email accounts. He shared screenshots to establish the breach.
The hacker revealed in a chat with Corben Leo, a Cybersecurity Researcher, that -
"One of the PowerShell scripts contained the username and password for an admin user in Thycotic (PAM) Using this I was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite."
Having established that an employee was social-engineered before the Uber security crisis, cybersecurity awareness and training have become vital.
It goes to show that using sophisticated cybersecurity technologies is not enough because just as Cybersecurity SaaS firms update their strength, hackers equally upgrade their tricks and tactics to asperse these technical muscles.
Social engineering tactic works well on people's minds and has recently been used to attack other big companies, including Twitter, MailChimp, Robinhood, and Okta. Thus, as it has become apparent that recent breaches across known organizations were through employee weaknesses, training staff and workers should be given serious attention.
The disturbing Data Breach has caused security improvements across tech companies and moved Uber to open jobs for cybersecurity experts.
While this step is essential, tech companies are advised to channel more efforts towards cybersecurity awareness for users and employee training.
In as much as there was no report nor evidence of financial loss or users' confidential and sensitive information disclosure, this breach is a big threat and reputation [confidence loss] issue for Uber.
Can we rightly say that the attacker is an ethical hacker who only intended to disclose the company's cybersecurity weakness? Otherwise, Uber might have been tangled in the web of another ransomware attack that it faced back in 2016 when the personal information of about 57 million customers and drivers was stolen.
The advice for training is not to say that devising the expected industry standard of security safeguard is useless; it remains highly appreciated.
It will be recalled that the employee's Uber Account was protected with Multi-factor Authentication (MFA), which made it difficult for the attacker to penetrate. The hacker eventually used an MFA Fatigue attack, sending several MFA requests to the employee.
Resorting to social engineering, he sent a text message to the employee pretending to be Uber IT Support. He deceived him into accepting the push notification to solve the MFA requests that kept coming up.
According to Bleeping Computer, MFA Fatigue attacks are when a threat actor has access to corporate login credentials but is blocked from access to the account by multi-factor authentication. They then issue repeated MFA requests to the target until the victims become tired of seeing them and finally accept the notification.
In essence, while a strong security system is crucial for an organization, in the same vein, cybersecurity training for employees is equally vital.
It is no news that an organization risks legal tussle when the privacy of its users is breached. Aside from litigation from customers or investors, there are Regulatory infractions or prosecutions to be faced.
Article 83(4) of the EU General Data Protection Regulations (GDPR) provides a fine of up to €10 million or up to 2% of a company's entire global turnover of the preceding financial year, whichever is greater in case of breach of obligations of the monitoring or certification body.
Also, in Article 83(5) of the GDPR, there is a fine of up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, where the infringement has to do with users' or customers' data.
The case is not different in Nigeria; there is the 2019 Nigeria Data Protection Regulations (NDPR), which under Regulation 2.10 outlines that depending on the violation, a penalty may be up to either:
2% of the annual gross revenue of the preceding year or payment of the sum of ₦10 million (approx. €25,000), whichever is greater where the data controller is dealing with more than 10,000 data subjects;
or payment of a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of ₦ 2 million (approx. €5,000) whichever is greater where the data controller is dealing with fewer than 10,000 data subjects.
In line with the NDPR, the Nation Information and Technology Development Agency (NITDA), after probing 17 firms, issued a fine of ₦5 million and ₦10 million against two companies in March and August of 2021.
Earlier this year, Wema Bank Plc. and Bet9ja were sanctioned and put under investigation; the former was based on privacy breach reports and the latter after a Ransomware attack.
The Uber story showed that the company complied with requirements for security safeguards (especially the current industry standard) and mandatory breach reporting. While the company might have escaped regulatory sanctions, it may not have escaped litigation had customers' confidential information been lost or stolen.
It is a part of the Risk Management scheme to subscribe to Cyber Security Insurance which covers losses resulting from cybersecurity incidents. However, in the Uber kind of incidents, the insurance policy may not avail them as there are limitations to what cybersecurity insurance policies can cover.
Among many, social engineering losses arising from new hardware installation, fresh software upgrades, and third-party errors are generally not covered by the Insurance policy.
Understand the legal consideration on what standard of security safeguard is expected of your industry
Be abreast of how often you should carry out cybersecurity training
Understand the mode and form of announcement in the event of a compromise
Understand how timeously you are expected to make the data breach announcement
Quickly, the United States (U.S.) does not have a single data protection legislation. Instead, there are a number of these regulations based on Federal and State jurisdictions. In any event, they are all there to protect the data and privacy of the citizens and residents.
However, at the federal level, there is the FTC Act which established the Federal Trade Commission, the U.S. Privacy Act which outlines rights and restrictions regarding data held by US government agencies, and the U.S. CLOUD Act which gives rights to authority to have access to citizens' information. As a result, the position of law varies from State to State in the U.S.
In the legal parlance, there is a maxim that reads Ubi Jus Ibi Remedium, meaning There is no wrong without a remedy. This section will discuss steps that comply with international best practices concerning cyber security culture.
It can no longer be overemphasized that regular training of employees is crucial. A company can have the most sophisticated security system, but it remains unsafe if its employees lack basic security antics– this can easily be deduced from the Uber incident. A well-trained employee will easily spot cyber threats and understand the need to report threats quickly.
As a way of helping employees implement the training and keeping employees on alert, an organization can establish security tasks to be carried out by employees on a weekly or monthly basis.
MFA is safer than 2FA, but MFA can be made stronger. Two-Factor Authentication implies after entering your login details; an OTP will be sent to you for a second-time authentication before finally accessing your account.
On the other hand, multi-factor authentication means you'll need to authenticate twice or more. For example, you may be required to enter an OTP and later enter biometric information (facial recognition or thumbprints).
An MFA requiring three (3) authentication procedures where the other two entries are strictly inherent factors is deemed stronger and safer.
There are three types of authentication factors: knowledge factor (requiring to enter what you know, such as OTP– one-time password or answer to security questions); possession factor (what you have, that is hardware token or mobile device) and inherent factor (what you are, which is biometrics).
Here, vigilance is key. No tech expertise is needed to prevent social engineering; spotting one when it surfaces is the best way to prevent the attack and manipulation. This is so as it's often difficult to free oneself once caught in the spell of a hacker. Deleting unfamiliar links or emails and verifying the personalities of the caller/text sender before taking action, among other safety practices, suffice.
Employees should not be allowed to use their official gadgets for personal use. This is good for them and the organization.
Article 37 of the General Data Protection Regulations (GDPR) of the European Union requires the appointment of a data protection officer (DPO), described as a person with expert knowledge of data protection law and practices, to assist the organization in monitoring its internal compliance with the Regulation. This provision is at par with Regulation 4.1 of Nigeria's 2019 NDPR.
In my view, I think the DPO Office should include two sets of officials: a Data Security Officer who is a cybersecurity officer for the technical and systemic aspects; and a Regulatory Compliance Officer who is a legal officer and expert in data protection laws and practices. These nomenclatures can be internal for administrative convenience or simply listed as DPO 1 and DPO 2.
a. Data Security Officers/Chief Information Security Officer:
Cybersecurity experts have strongly warned that security officers should desist from encrypting sensitive codes in the scripts. Unfortunately, such an error occurred with the Uber cybersecurity officers, as the hacker made it known that he retrieved an Admin username and password in one of Uber's PowerShell scripts which gave him access to several systems. A DSO/CISO will understand all these weaknesses and prevent future occurrences.
b. Regulatory Compliance Officers:
As a legal officer, the RCO will advise on the extent of notice, such as content requirements and notice deadline. Thus, the RCO helps the company make a timeous notification and avoid risks associated with making incomplete or inaccurate statements about the facts of the breach. This includes being careful of the statement to avoid clear admission of fault. An RCO may be in-house and can be an external solicitor or litigation counsel.
In our highly digitalized world, where sophisticated technologies keep rising daily, an organization can be compromised through its customers.
Also, a user who is hacked and loses properties may believe it's due to the company's weak security system. Thus, creating cybersecurity awareness and sharing security tips with customers will go a long way.
The collective utilization of the above practice will help build a strong security culture for tech organizations.
Also published here.
Illustration by Alex Castro / The Verge