Uber Technologies has experienced its third data breach in six months, as sensitive data, including names and Social Security numbers of an unknown number of its drivers, was stolen by cyber attackers.
The breach was discovered by law firm Genova Burns LLC, which had received the information from Uber as part of its legal representation.
The law firm noticed suspicious activity in January and confirmed that its systems had been compromised, leading to the data breach.
The impacted drivers have been notified that their Social Security numbers and/or tax identification numbers may have been affected, and Uber has offered complimentary credit monitoring and identity protection services. Also, it is unclear if the Uber data breach was specifically targeted or caught up in a broader effort to attack legal services organizations.
Cyber attacks targeting legal firms have been on the rise, with cybercriminal campaigns using malicious search engine optimization techniques to lure potential victims to malicious sites.
Uber has experienced multiple cybersecurity breaches in the past, including leaks of the driver and user information in 2014 and 2016. In 2022, two more attacks occurred, one through a third-party cloud provider, resulting in the capture of sensitive data and the resignation of Uber's Chief Information Security Officer (CISO).
Genova Burns, after detecting the attack on January 31, conducted an investigation with the help of a third-party forensics and data security specialist. It was discovered that the data had been accessed and exfiltrated during the week prior to discovery.
On March 1, 2023, Genova Burns notified Uber that information related to the affected Uber drivers was contained in an impacted file. However, at this time, no actual or attempted misuse of the information has been identified.
"For the minority of cybercriminal attacks where a victim is targeted, organizations with access to large amounts of third-party data, such as law firms, present a valuable target. Law firms also frequently fit the profile of small to midsized organizations with a sizable IT footprint but no dedicated security resources,” Secureworks' Jarvis. said.
Genova Burns stated that they are taking additional steps to enhance security and protect against similar incidents in the future, as reported in a letter published by The Register.