A social-engineering attack is behind the latest Uber data breach, forcing the rideshare giant to take several of its internal communications and engineering systems offline.

Uber sent the following tweet Thursday evening about the data breach:

“We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”

According to the New York Times, the person claiming responsibility for the hack said he sent a text message to an Uber worker claiming to be a corporate IT person. The attacker persuaded the worker to hand over a password that allowed him to gain access to Uber’s systems.

Ian McShane is Arctic Wolf‘s vice president of strategy. He said Uber is “renowned for having some of the best cybersecurity in the business.”

Arctic Wolf’s Ian McShane

“Nobody’s perfect and even the best managed security organizations can be compromised,” he said. “The key is how quickly you respond and mitigate the issue, which they appear to have done here.”

The Uber data breach is a pretty “low-bar to entry” attack, McShane said. It’s akin to consumer-focused attackers calling people claiming to be Microsoft and having the end user install keyloggers or remote access tools.

“Given the access they claim to have gained, I’m surprised the attacker didn’t attempt to ransom or extort,” he said. “It looks like they did it ‘for the lulz’.”

Weakest Link Is Human

Attacks that use insider threats and compromised user credentials continue to grow by 47%. That’s according to a 2022 Ponemon Institute report. This breach is proof once again that often the weakest link in your security defenses is the human, McShane said.

“It is therefore critical that you manage that risk by running regular training and security awareness sessions while running around-the-clock monitoring, detection and response, as well as other security operations solutions to reduce risk and keep your organization protected,” he said.

Darryl MacLeod is virtual CISO at Lares Consulting.

Lares Consulting’s Darryl McLeod

“This breach highlights the need for companies to educate their employees about the dangers of social engineering and how to defend against it,” he said. “Social engineering attacks are becoming more common and more sophisticated, so it’s important to be aware of the dangers. If you work for a company that holds sensitive data, make sure you know how to spot a social engineering attack and what to do if you encounter one.”

Deryck Mitchelson is field CISO at Check Point Software Technologies. He said the breach comes as Uber’s ex-security chief prepares to stand trial in the United States, facing criminal charges relating to whether Uber properly disclosed a 2016 breach affecting 57 million users. This is an “interesting and potentially game-changing trial for security leaders.”

Check Point’s Deryck Mitchelson

“Social engineering is something we are increasingly seeing more of,” he said. “This is where the hackers will use a variety of offline and online means to manipulate users into performing actions or divulging confidential information, such as remote access details. There are solutions that can actively guard against sophisticated social engineering and phishing techniques like this. But it is also absolutely critical that organizations take the time to educate employees on the threat.”

More Emphasis on Employee Training, Testing Needed

Ray Kelly is fellow at Synopsys Software Integrity Group. He said there’s a reason cybersecurity experts say people are often the weakest link in cybersecurity.

Companies can spend significant budget on security hardware and tools, he said. However, in-depth training and testing of employees “does not get the focus it should.”

Synopsys’ Ray Kelly

“Whether it be phishing/[text messaging] attacks or a simple phone call to get an employee to give up their credentials, social engineering is going to be the easiest route for a malicious actor,” Kelly said.

Shira Shamban is CEO at Solvo, a security automation enabler for cloud development and production environments. She said the attacker gained access to Uber’s security products, like SentinelOne and Duo. The attacker also gained access to the AWS production environment. There, the hacker shared screenshots of an Uber security technologist and their identity and access management (IAM) administrator access.

Solvo’s Shira Shamban

“Utilizing IAM is a smart way to make sure even if some of your credentials are compromised, or some machines get hacked, the blast radius will be limited and the attacker’s ability to make lateral movement will be restricted,” she said.