A recent supply chain attack has resulted in sensitive data belonging to Uber drivers being stolen once again.
The Register picked up on a breach notification sent to affected drivers by the law firm Genova Burns which said that in late January 2023 it “became aware” of suspicious activity in its internal information systems.
After bringing in outside forensic and data security specialists, the company determined that an “unauthorized third party” (no groups or individuals were named) accessed its systems between January 23 and 31, 2023. During that time, the threat actor stole data including Uber drivers’ names, Social Security Numbers, and in some cases, Tax Identification numbers.
Securing the environment
The way the notification was formulated suggests that this is not all of the data that was taken, but Genova Burns did not discuss it further.
What it did discuss are its moves going forward, including the usual 12 months of free identity (opens in new tab) monitoring services, this time through Kroll. It also said it “secured the environment” by changing all system passwords, and notifying the police.
“We will be taking additional steps to improve security and better help protect against similar incidents in the future,” Genova Burns added, without detailing which additional steps those are.
When asked by the publication to comment, Uber sent an email statement, saying the Genova Burns data was related to “certain drivers who had completed trips in New Jersey”. The company also reminded that the law firm found no evidence of the data being used in the wild, or evidence of such an attempt.
Genova Burns said it held the data due to its legal representation of Uber Technologies.
Uber has suffered its fair share of cybersecurity incidents, including the 2016 data theft fiasco, the 2022 Lapsus$ data theft, and the Teqtivity supply chain attack.
Via: The Register (opens in new tab)