Who do you trust with your critical data assets? In an ideal world, the answer would be “no one,” but the reality is that most companies rely on third-party vendors in one form or another to enable day-to-day processes and services. However, as the latest Uber breach showed, this can put protected information at risk. 

Just yesterday, RestorePrivacy revealed that on December 10th, Uber suffered a data breach after a threat actor gained access to third-party asset management vendor Teqtivity’s internal systems, and leaked the account information and PII of around 77,000 Uber employees on a hacker forum. 

Shortly after the news broke, Teqtivity released a statement explaining that the hackers breached the vendor’s AWS backup server, which stored code and customer files.

Above all, the breach highlights that enterprises can’t afford to rely on the security measures of third-party vendors to protect their data, and suggests that organizations need to be much more proactive in conducting due diligence on which entities they choose to partner alongside. 

A look at third-party risk 

The breach comes just months after a Lapsus$ hacker breached Uber by purchasing the login credentials of an Uber EXT contractor and used MFA bombing to bombard the user with SMS login requests until they accepted one, giving the hacker access to Uber’s internal systems. 

It also comes after a federal jury convicted former Uber CISO, Joseph Sullivan, for covering up a data breach in 2016. 

Although, unlike these security blunders, this latest breach stands out as it’s illustrative of a trend of supply chain attacks on third-party vendors, which are becoming increasingly common, with research showing that 51% of organizations have experienced a data breach caused by a third party.

“In recent years, we’ve seen that companies are becoming more at risk of being either the ‘target’ or the ‘transport’ that allows other organizations to be hacked. With this data breach, perhaps this kind of supply chain attack becomes the Venn diagram where supply chain attacks meet targeted attacks,” said Ian McShane, vice president of strategy at security operations provider, Arctic Wolf. 

While it’s difficult to know whether this breach occurred because attackers identified Teqtivity as a potential entry point to Uber’s internal systems or simply got lucky, the high volume of data exposed during the incident highlights that organizations can’t afford to overlook third-party risk. 

Vendors are the weakest link in enterprise security 

The targeting of third-party vendors via supply chain attacks has been growing for some time, increasing 742% annually over the past three years, with one of the most notable examples being the SolarWinds breach in 2020, where threat actors gained access to 18,000 customers, including Microsoft, the U.S. State Department and NASA. 

Now with Uber suffering a data breach as a result of a third-party vendor, it’s likely that other threat actors will start to target these providers more proactively, so they can compromise high-value targets and downstream organizations. 

The level of threat this presents can’t be underestimated, particularly when considering that many enterprises are overlooking third-party risk, with 45% of organizations using manual spreadsheets to assess third parties. 

“Vendors and other third parties are often granted the same access as employees, but with fewer security measures, making them a weak link and therefore a popular target for threat actors,” said Robert Ames, threat researcher at SecurityScorecard. 

“When hackers access a third party’s systems, they can access whatever data that system stores, even if it belongs to other organizations,” Ames said. 

In Uber’s case, all it took was gaining access to Teqtivity’s AWS server to harvest a mountain of data, while Uber had limited visibility of the incident. 

So how bad is the damage for Uber? 

Although the incident could have been worse, the high amount of employee data collected suggests that there could be long-term repercussions in the form of social engineering and spear phishing attacks. 

One reason for this is that cybercriminals essentially have a database of potential targets at Uber who they can target with highly-convincing social engineering scams and phishing emails to trick them into handing over login credentials and personal information. 

“The leaked data’s main value to cybercriminals would be detailed information on Uber employees to conduct spear phishing,” said Bryan Smith, CTO at cyber risk management provider, RiskLens. 

Security awareness advocate at KnowBe4, Erich Kron, suggests that the highly-targeted nature of these phishing attempts will make them more effective and difficult to prevent. 

“Personal information on employees and customers can easily be used in creating more relevant and believable social engineering attacks in the future. People whose information may have been accessed or leaked should be made aware of the potential data misuse, and how it may impact them,” Kron said.  

As a result, security awareness training will be essential for ensuring that users are prepared to address any follow up social engineering threats in 2023, which will be likely if attackers perceive weakness in the vendor’s security measures after these last two high-profile breaches. 

“Unfortunately, due to historic events, Uber will continue to be not only a target, but also under a microscope when it comes to security incidents,” Kron said. 

Know your supplier 

The main lesson from this breach is that organizations need to have a complete understanding of third-party risk; conducting careful onboarding and screening of IT vendors, and using regular risk assessments to identify what data could be exposed, whether that’s PII, intellectual property, employee data, financial details or other information. 

“It is crucial for companies to continuously monitor third-party cybersecurity posture to reduce the likelihood of attacks. Additionally, companies should evaluate their cybersecurity strategy, have a complete picture of their attack surface, seek ways to gain visibility into vulnerabilities and participate in tabletop exercises and threat emulation to ensure they are familiar with countering and responding to threat actors,” Ames said. 

Continuously monitoring third-party risk throughout the vendor lifecycle will put organizations in the best position to identify potential risks and, ultimately, help to prevent data breaches.