What the Uber Hack Shows Us About Third-Party Risk Management
What the Uber Hack Shows Us About Third-Party Risk Management
Uber recently made headlines due to a hack that impacted their internal systems. In short:
- An attacker used stolen credentials belonging to a third-party contractor.
- The contractor had MFA in place but after ignoring a number of MFA prompts, they were persuaded to accept one.
- This allowed the hacker to successfully log in, access Uber’s internal network as if they were the contractor and have access to powershell scripts due to file sharing privileged access.
- From there, hardcoded credentials in the script gave the bad actor access to the Privileged Access Management tool which eventually gave the attacker access to Uber’s Slack, Google Workspace, and much more.
We’d like to point out that we’re not seeking to victim-blame, shame, or to, in any way, celebrate Uber’s compromised state. Fortunately, the damage was relatively minimal, given the access the hacker had. Uber maintains that no personal data was compromised and that while internal systems were compromised, including HackerOne bug reports, Uber was able to remediate any known vulnerabilities.
It’s difficult to pinpoint exactly how this attack could have been prevented. Uber could have implemented better training or limit the number of MFA prompts but ultimately, human error is hard to account for.
We believe this compromise is a good example and opportunity to talk about the cybersecurity mindset shift companies need to adopt in order to minimize the risk involved with cybersecurity incidents. Here’s a few key takeaways companies should know.
Third parties can be a huge risk factor
When it boils down to it, the Uber hack was the result of a third-party compromise and speaks to third-party risk as a whole. With the proliferation of B2B SaaS apps, outsourced services, cloud-based products, and off-premise servers and databases, third-parties are being used more than ever as a means to access and exploit larger organisations.
SaaS usage is up 38% over the last year, with companies using an average of 110 SaaS applications. This elevated use of third-parties is leading to increased risk for many organisations. Data is being shared and stored across multiple companies, integrations have added more entry points, and it’s becoming more and more challenging to have visibility of all your third-parties, not to mention securing them.
Do you have an accurate view of all the SaaS products used by your business? If not, you’re exposing yourself to risk (and it’s important to remember that SaaS usage changes and often increases on a weekly basis.)
The Uber hack isn’t the only example of an attack resulting from a third-party attack vector. A Ponemon Institute study that surveyed 600 IT executives discovered that more than half of data breaches involved a third-party and third-parties continue to be targets for malicious actors with big ambitions. Authy, an authentication app for businesses and consumers and owned by Twilio, a popular third-party SaaS vendor, was hacked earlier this year. The attackers were able to obtain passcodes on over 100 partners, including DoorDash, who suffered a data breach that led to exposed customer data as a result of the Authy compromise.
These kinds of attacks are more and more common and require a new way of thinking in risk management.
Data breaches will happen
This wasn’t the first time Uber was compromised and they have poured a lot of money in cybersecurity as a result. Despite all their resources and investments, they were still compromised. Lapsus$, a notorious group known for a number of high profile attacks over the last few years, was responsible for the attack and previously compromised Microsoft, Cisco, and NVIDIA, as well as others, just this last year.
This reflects a new reality. It’s likely that you’ll suffer a cyber attack. Uber’s compromise was made possible with stolen login credentials that were floating around in the dark web. This kind of data is fairly easy to obtain, meaning many companies are at risk. Nearly 30% of all companies will suffer a data breach but that doesn’t mean organizations can’t take appropriate steps to minimize their risk and the damage in case of an attack.
For the average business, they need to prepare for the very real scenario that they’re compromised in some way. Given that reality, it’s important to go through potential incident response scenarios and have a plan depending on the compromise, what departments are affected, and the best way to recover.
Which brings us to our next point…
Reputational damage adds up
Uber’s hack seemed a lot worse than it was. Given what we know so far, the compromise was fairly severe because critical systems were accessed. However, the attacker’s motivations seemed to be embarrassment and bragging rights. Uber’s operations continued as normal and, according to their own statement, no user data was compromised.
The efforts to embarrass the company, however, paid off, which brings up an often-ignored aspect of a data breach — reputational damage.
This compromise led to dozens of articles and videos detailing the issue. This bad press can add up and both stock prices and revenue may be affected as a result. After Uber disclosed the problem, their stock fell by 5%. Consumers, overall, are much more wary these days and protective of their own security. A recent study has shown that 50% are unwilling to do business with a company they don’t trust, largely due to privacy issues. Nearly a quarter have outright said they wouldn’t do business with a company that suffered a data breach.
This is one area where Uber had some room for improvement - it appears there wasn’t a strong communication strategy in place. A key part of incident response is reporting and communication. If they were able to better communicate that the hack resulted in minimal damage, the reputational hit might’ve been reduced.
What can companies learn from this data breach?
There were things Uber could have done, like have a stronger MFA system in place and avoid having hardcoded Powershell scripts but we’re not here to focus on the nuances that led to this attack. Instead, we should use this incident as a good reminder of what threats companies face today and the environment they need to secure. Old models and frameworks of third party risk management (TPRM) need to be updated and new priorities require an elevated focus.
Third party risk is more important than ever
These kinds of attacks have compromised some of the biggest companies in the world, meaning organisations with fewer resources are at significant risk. Third-party risk is a major liability and needs to be a top cybersecurity priority. Companies should assess their own processes, systems, and tools to make sure that they are:
- Assessing current third-parties’ cybersecurity effectively.
- Assessing potential third-parties cybersecurity.
- Taking actions to mitigate any new potential risk brought on by a third-party.
- Carefully implementing and integrating a third-party in a way that minimizes data exposure.
These are helpful considerations you can continue to return to as you build up your third-party risk management strategy.
Incident response must incorporate media and communication strategies
How you communicate a potential security compromise is a crucial component of an incident response (IR) strategy. Make sure all affected parties know about the compromise and you may also want to consider how you communicate publicly and to any media, especially once there’s a public record.
Key personnel and departments should be identified and work on the comms plan as part of a data breach response. This can help protect your company's reputation and may even help in case of a lawsuit or regulatory investigation.
Aim for cyber resilience as well as cyber security
Companies can’t rely simply on preventative cybersecurity measures, they need to adopt a mindset that expects a data breach and plans accordingly. Cyber resilience measures an organisation’s ability to respond to a cyber incident. How quickly can they recover? How fast can they react? And how well can they mitigate the damage?
These are key questions you should look to answer as you plan out your cyber resilience strategy and consider new tools, systems, and processes.
Cybersecurity is done best when it’s done collaboratively
Companies aren’t facing the best odds when considering the sheer number of malicious actors and potential points of exposure and vulnerability. Security incidents and compromises are inevitable because prevention is a near-impossible task. However, effective defense can be achieved if companies work together.
Pursuing an effective TPRM strategy doesn’t mean you should look at all your third-parties as risk-carriers or that you have to minimize how closely you can work with them. Instead, you should work with them even more closely and collaborate on cybersecurity, share intelligence, and open lines of communication.
You can also develop a shared culture of responsibility which will foster collaboration in case a compromise does occur. This can help speed up incident response on all sides, ultimately reducing the risk that an exploit reaches your network or incur significant damage.
Overall, you should prioritize building stronger connections with your suppliers and third-parties and raise the cybersecurity posture and resilience for everyone.