Law Firm for Uber Loses Drivers Data to Hackers in Yet Another Breach

  /     /     /  
Publicated : 23/11/2024   Category : security


Law Firm for Uber Loses Drivers Data to Hackers in Yet Another Breach


Uber gave sensitive data on drivers to a law firm representing the company in legal actions, but the data appears to not have had adequate security protections.



A law firm representing Uber Technologies has notified an unknown number of its drivers that sensitive data, including their names and Social Security numbers, has been stolen by cyberattackers.
Its the third data breach in six months for the ride-share giant.
Law firm Genova Burns LLC, based in Newark, NJ, first noticed suspicious activity at the end of January, and — after an investigation by outside specialists — discovered that its systems had been compromised and data on an undisclosed number of Uber drivers had been stolen, according to a letter published online on April 4. Uber sent the information to the law firm in connection with its legal representation, the letter stated.
Genova Burns did not explain why the law firm needed drivers personally identifiable information (PII) and did not respond to multiple requests for comment.
Upon learning of the event, we investigated to determine the nature and scope of the incident and secured the environment by changing all system passwords, the law firm said in the letter sent to Uber drivers. We also notified law enforcement and are cooperating with its investigation. We will be taking additional steps to improve security and better help protect against similar incidents in the future.
Some major breaches have targeted legal firms, which typically hold very sensitive data and often do not have a dedicated information-security director. In January and February, two cybercriminal campaigns — GootLoader and SocGholish —
hit six different law firms with cyberattacks
. Notably, the
cyberattackers behind GootLoader
used search terms that refer to contracts, agreements, and other legal forms as bait in a drive-by download campaign.
By using malicious search engine optimization techniques, the attackers in that case lured potential victims to malicious sites, which then attempt to compromise the users machine with their malware, says Keith Jarvis, a senior security researcher at Secureworks Counter Threat Unit (CTU), who adds that its unclear if the Uber data was specifically targeted or just caught up in such an effort.
We do not know if this targeting is intentional or incidental, but it has been effective at ensnaring organizations in legal services, he says.
Uber has been a frequent target of hackers. The ride-sharing service provider had previously leaked information
on 50,000 drivers and their license plates
in May 2014, followed by a more serious breach in October 2016, when cybercriminals
gained access to the private data of 57 million Uber users
. In 2022,
two more

attacks
— one through a third-party cloud provider — successfully captured sensitive data, and one resulted in the companys CISO resigning.
In the latest attack, Uber confirmed the breach, but directed questions back to its law firm.
These drivers have been notified that their Social Security number and/or tax identification number have been potentially impacted and [were] offered complimentary credit monitoring and identity protection services, Uber said in a statement. Genova Burns indicates that they are not aware of any actual or attempted misuse of the information, and confirmed that they are taking additional steps to improve security and better protect against similar incidents in the future.
The law firm first detected the attack on Jan. 31, and, following an investigation by an unnamed third-party forensics and data-security specialist, discovered that its data had been accessed and exfiltrated during the week prior to discovery.
On March 1, 2023, we determined that information related to you [the Uber drivers] was contained in an impacted file, after which we notified Uber, Genova Burns
stated in the letter, published by The Register
. At this time, we are unaware of any actual or attempted misuse of your information as a result of this incident.
Genova Burns joins a growing group of law firms that have become victims of cyberattackers. In 2021, attackers
accessed systems at Campbell Conroy & ONeill
, a law firm with hundreds of major corporate clients, that included names, birthdates, drivers license numbers, Social Security numbers, passport numbers, and even medical information.
While most cybercriminals are opportunistic attackers, law firms often attract unwanted scrutiny, says Secureworks Jarvis.
For the minority of cybercriminal attacks where a victim is targeted, organizations with access to large amounts of third-party data, such as law firms, present a valuable target, he says. Law firms also frequently fit the profile of small to midsized organizations with a sizable IT footprint but no dedicated security resources.
Over the past few years, nation-state groups
have targeted law firms
to uncover information on their clients intellectual property and technologies in development.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Law Firm for Uber Loses Drivers Data to Hackers in Yet Another Breach