Uber has suffered yet another data breach after a third-party law firm's servers were attacked. The law firm, Genova Burns, which provides legal counsel to Uber, has notified an unknown number of its drivers that sensitive data has been exposed and stolen due to a cyberattack.
The ongoing investigation suspects that the hackers accessed Genova Burns' systems through a phishing attack and that confidential information belonging to drivers, such as their Social Security and tax identification numbers, have been stolen in the breach.
Genova Burns shared in a letter to affected drivers some information about the breach:
"On January 31, 2023, Genova Burns became aware of suspicious activity relating to our internal information systems. In response, we engaged outside forensic and data security specialists to investigate the nature and scope of the activity. We determined that an unauthorized third party gained access to our systems and certain limited files were accessed or exfiltrated between January 23, 2023 and January 31, 2023."
The law firm notes that it is unaware of any misuse of the stolen information involved in this incident.
Data breaches are a major concern for companies like Uber, especially when they come from third-party access. In this case, Genova Burns was responsible for handling Uber driver data and was hit by an attack that exposed confidential information for countless Uber drivers in the New Jersey area.
While Uber has faced criticism for its handling of previous data breaches and lack of transparency in disclosing them to the public or regulators, it's important to note that third-party breaches can be difficult to prevent and manage.
[RELATED: Data Breach Cover-Up: Uber's Former CSO Faces up to 8 Years Behind Bars]
Companies like Uber must rely on third-party vendors to handle sensitive data, which can make it difficult to ensure that all security protocols are being followed.
Piyush Pandey, CEO at Pathlock, discusses this challenge with SecureWorld News:
"Third-party access to core business systems should be managed with the strictest of access controls. For public, regulated companies like Uber, third-party access often has specific regulations attached to it to ensure controls are enforced in a highly monitored way, SOX's segregation of duties (SOD) requirements being a prime example.
Starting with the principle of least privilege, third-parties should be granted the minimum level of access required to perform the processes required by the business. From there, any elevation of access should be managed via exception. Regular reviews of activities and elevation requests would determine if entitlements should be expanded or contracted over time.
The challenge organizations often face with third-party access management is how time-consuming the review process is. To be truly effective, organizations must automate the workflow around third-party access reviews to be more proactive in adjusting policies to reduce risk where possible."
While third-party breaches can be difficult to prevent and manage, it is important that companies like Uber work closely with their vendors to ensure that all security protocols are being followed. As the investigation into this latest breach continues, it's clear that there is still much work to be done to protect against cyberattacks.
Follow SecureWorld News for more stories related to cybersecurity.