The Uber hack that the young man claimed sent his shares plummeting on Wall Street on Friday and made cybersecurity experts remember how poorly protected many large companies are.
“We have no evidence that sensitive user data was compromised as a result of the incident,” the chauffeur-driven vehicle booking (VTC) platform said Friday, adding that all of its services and mobile app are “working.”
Uber reported the “cybersecurity incident” on Thursday evening, saying it was “contacting authorities” about the matter.
Around 19:00 GMT on Friday, the Uber title lost 3.41% to $32 after falling to 6.79%.
According to the New York Times, a young hacker who says he is 18 obtained access codes to Uber’s internal network by posing as a member of the technical team in front of an employee, and thus to the internal network, source code, as well as email. mail. The daily, which received screenshots from the hacker to back up its claims.
Several cybersecurity experts also said they were in contact with someone who presented himself as a hacker.
– “Fed up with” –
It was able to determine the actual username and password, cybersecurity analyst Graham Cluley said in a blog post Friday.
The hacker then “says he was just (…) bombarding the employee with multi-factor authentication requests” until the person gave up and gave him access out of “fed up”.
When asked by AFP, Uber did not provide more details than it did on Twitter.
“People are often the weak link,” recalls Ray Kelly of Synopsys Software Integrity Group, a California-based IT infrastructure company. “Groups spend a lot of money on security hardware and tools, but employees aren’t trained enough.”
On average, American companies are subject to 42 cyberattacks a year, of which 3 are successful, according to Keeper Security, a specialized company.
– The trial of the former director of security –
The incident comes as a trial is underway in San Francisco this week against former Uber IT security chief Joe Sullivan, accused of covering up a 2016 computer attack that allowed hackers to access the personal data of some 57 million platform users.
Joe Sullivan, who was fired in November 2017, also arranged for a $100,000 ransom to be paid to the hackers behind the attack, according to the indictment.
The case was not solved until a year later, Uber reached a settlement with 50 US state prosecutors, including $148 million in damages in total for delaying disclosure of the attack to the regulator as well as the general public.
The US-identified two hackers behind the cyberattack were arrested and convicted of extortion before a California federal court in 2019. Their verdict has not yet been passed.
The trial of Joe Sullivan is seen as a test of the US justice system’s vision of the duties and responsibilities of cybersecurity professionals in companies.