Consumers are being urged to take action to protect themselves in the wake of a substantial hack of ride-hailing company Uber's (UBER) data systems, even if they only used the service once.
The breach is "massive," Chris Lehman, CEO of SafeGuard Cyber, a Charlottesville, Va.-based cybersecurity company, told TheStreet. "Consumers would be well advised to monitor any card or financial account that is linked to their Uber app," he said. "There is a good chance that at least some customer data has been exposed"
The scale of the hack appears to be extensive since Uber's cloud systems, security tools, internal databases and even Slack were compromised, Lehman said.
Uber's app contains a lot of personal information such as cell phone number, email address and credit card information and the app itself has GPS monitoring. That could pose a lot of risks to users if "this attack been carried out by a sophisticated hacking group," he said.
It is still not known how many customers and Uber drivers had their information exposed to hackers or how soon it will wind up on the darknet.
How Consumers Can Protect Themselves
Consumers who have used Uber even once risk having their personal information compromised, Darryl MacLeod, a virtual CISO at LARES Consulting, a Denver-based information security consulting firm, told TheStreet.
Uber collects a lot of personal data, including a person's ride history with home and work addresses.
"You don't want that data falling into the wrong hands," he said.
Consumers should enable two-factor authentication (2FA) immediately and keep an eye on credit card statements and credit reports for any suspicious activity, MacLeod said.
After a massive breach, consumers should always immediately change their password. If the password used for Uber's app was also reused anywhere else, it should be changed also.
Using strong and unique passwords for all online accounts is one way for consumers to protect themselves, Darren Guccione, CEO of Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software, told TheStreet.
"This will limit sprawl if their information is stolen and posted to the dark web," he said. "A password manager is a critical tool to create high-strength random passwords for every website, application and system. Dark web monitoring will alert consumers if their data is available online, so they can take immediate action to protect themselves."
In addition, consumers should always opt for adding a credit card for any app or online account instead of using a debit card.
"If a debit card is stolen, the money is drafted out of your account immediately and the consumer will have to fight to get their money back," Lehman said. "With a credit card, you have the chance to challenge the fraudulent charges without losing your money."
The responsibility lies with companies to protect their network and data for these types of cyber attacks because consumers are vulnerable and do not have many preventative strategies.
"The consumer has no control of their data once it’s shared with the app," he said.
Uber Does the 'Responsible Thing'
Uber has done the "responsible thing" by shutting down its Slack and is working with law enforcement, Debrup Ghosh, senior product manager at Synopsys Software Integrity Group, a Mountain View, Calif.-based provider of integrated software solutions, told TheStreet.
While taking prudent steps is a good idea, consumers "probably don’t need to panic and lock down their credit or debit cards yet," he said.
The payment gateways have fraud detection systems that "may trigger automatically if an unauthorized purchase is detected by systems of large credit card companies," Ghosh said.
Many consumers use services from large tech firms such as Amazon and Google, who all have access to personal data, consumer preferences, and geo-location data such as such as home and work addresses, he said.
"Instances such as this illustrate the value of consumers demanding that large corporations take data security seriously and act as model corporate citizens," he said. "Companies with a robust security culture will not only better serve their consumers, but also protect and improve shareholder value in the long run."
Details of the Attack
Uber said the cyber attacker penetrated an employee's account via Slack, a workplace messaging software tool.
The hacker used Slack to message Uber's employees about the data breach, an Uber spokesperson told the New York Times on Sept. 15. The fraudster also seemed to have gained access to other internal systems because an explicit photo on an internal information page for employees was also posted, according to the report.
The hacker, identified by the Telegram handle Tea Pot, breached access via Uber’s account with HackerOne, a firm that helps companies work with security researchers, the company and researchers on the platform told the Wall Street Journal.
The researchers said the hacker had access to administrative accounts that Uber uses to manage its technology systems, including Google clouds, Amazon Web Services and VMware systems, according to the WSJ article.
The hacking incident against Uber renews many questions about the security of consumer data. The company was a target of a cyber attacker back in 2016 that exposed personal and financial information from 57 million of its customers and drivers.
