Uber says it is in contact with law enforcement following reports of a significant data beach of its network. Credit: Magdalena Petrova/IDG Ride-hailing giant Uber has confirmed that it is responding to a cybersecurity incident as reports emerge that the firm has suffered a significant network data breach forcing it to shut down several internal communications and engineering systems.Attacker announces Uber breach through compromised Slack accountIn a statement on Twitter, Uber wrote “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.” While details from the company were sparse at the time of writing, a report by the New York Times on Thursday claimed that a hacker was able to compromise an employee’s Slack account and used it to send a message to Uber employees announcing that the company had suffered a data breach.The report, which cited an Uber spokesperson, also claimed that the hacker posted, “I announce I am a hacker and Uber has suffered a data breach,” before listing several internal databases that were apparently compromised. The person claiming responsibility for the hack told the New York Times that they had sent a text message to an Uber employee claiming to be a corporate IT person, persuading them hand over a password that allowed the actor to gain access to Uber’s systems. According to a tweet by security researcher and bug bunty hunter Sam Curry, an anonymous Uber employee stated, “At Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.” Speaking to CSO, Jake Moore, global cyber security advisor at ESET, says, “The use of a simple social engineering hack via SMS to hack into their systems leaves Uber with not just embarrassment but questions on how much data was so easily accessible behind one simple compromise. Attackers should never be underestimated and those targeted must remain vigilant to such attacks. Therefore, personal data needs to be behind much stricter securities and must be protected the best it can be not only from insider threats but also relentless attackers looking for vulnerable staff.”Andy Swift, technical director of offensive security, Six Degrees, adds that internal systems are the soft underbelly of organizations, and the Uber incident just goes to show that even the most simplistic of techniques, if done correctly, can unpick an entire infrastructure with relative ease. “It’s why things like the concept of least privilege and focus on maintaining and reducing internal attack surfaces with a holistic view is so very important and getting big focus right now. Trying to get companies to think less about the security of individual systems in pigeonholes and have a more holistic view embedded into their security testing programs through the use of red/purple teaming engagements can really help pinpoint areas of weakness against the organization as a whole. As we have seen here, looking at it from this perspective is important in understanding an attacker’s view, and continuous testing – combined with strategic, planned improvement based on results – is vital.” CSO will follow this story and update as more details come to light. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe