Ride-hailing giant Uber finds itself in the hot seat once again as news of a major data breach surfaces this week, marking the third incident within the past 10 years. The culprit this time? A third-party vendor providing legal services to the company.

As the investigation unfolds, we delve into the details of the breach, examine its potential impacts on customers and drivers, and question Uber’s ability to safeguard sensitive information in an era of escalating cyber threats.

What Happened?

On January 27, 2023, a cybersecurity incident at Genova Burns LLC, a law firm representing Uber, brought to light the critical importance of robust third-party cyber risk management. After discovering that their systems had been compromised, an investigation revealed that hackers had infiltrated the firm’s systems on December 14, 2022, leading to the theft of personal information belonging to over 77,000 Uber drivers.

Upon being informed of the breach on January 31, 2023, Uber immediately launched an investigation and took measures to secure its systems. The company also offered free credit monitoring to all impacted drivers. The ongoing investigation suspects that the hackers accessed Genova Burns’ systems through a phishing attack.

This incident follows previous data breaches in October 2016 and September 2022, emphasizing the importance of continuously and vigilantly monitoring vendors’ cybersecurity posture. While Uber has faced criticism for its management of past breaches, the focus should be on the significance of overseeing the cyber risk posed by third-party vendors and partners and the potential regulatory repercussions and fines that can impact companies like Uber.

For CISOs and IT risk professionals, this situation highlights the necessity for stringent third-party cyber risk management. Companies must invest in strengthening their security practices, maintaining transparency when breaches occur, and ensuring their vendors comply with the highest cybersecurity standards. By doing so, they can mitigate the risk of regulatory penalties and fines arising from data breaches involving third parties.

The impact on Uber regarding regulations and potential fines cannot be underestimated, as such incidents can lead to severe financial and reputational consequences.

Meanwhile, Uber drivers affected should proactively safeguard their identities by monitoring their credit reports, freezing their credit, and updating passwords for potentially affected accounts.

What Data Was Compromised and How Does It Impact Uber Drivers?

The data breach compromised a significant amount of sensitive information about Uber drivers, including:

  • Names
  • Addresses
  • Social Security numbers
  • Driver’s license numbers
  • Dates of birth
  • Gender
  • Phone numbers
  • Email addresses
  • Payment information
  • Vehicle information
  • Driving history

Such data could potentially be exploited by criminals to perpetrate identity theft, fraud, and other illicit activities. For instance, the stolen Social Security numbers might be used to open new credit accounts under the affected drivers’ names. In contrast, the pilfered driver’s license numbers could enable the creation of counterfeit licenses.

To address concerns and mitigate potential harm, Uber urges impacted drivers to stay vigilant against identity theft and fraud by regularly reviewing their account statements. A dedicated assistance line has been established by the firm to address any questions or concerns related to the incident.

Currently, no evidence indicates actual or attempted misuse of the affected drivers’ information due to this breach. The firm remains dedicated to safeguarding the confidentiality, privacy, and security of personal information in its possession and will continue implementing measures to prevent future incidents.

The Weakest Link: Assessing Cybersecurity Postures of Legal Vendors in the Wake of Uber’s Data Breach

In light of Uber’s recent data breach involving a legal service vendor, the importance of monitoring the cybersecurity posture of all vendors, both digitally connected and otherwise, becomes increasingly apparent. The legal services industry, in particular, warrants close attention due to the sensitive and confidential information they often handle.

Our research highlights trends within the legal services sector. In the past 12 months, 97 legal service vendors experienced ransomware attacks, 69 of which were US-based companies.

Additionally, Black Kite Research completed an analysis of all legal services vendors monitored by Black Kite. The analysis of legal vendors revealed several alarming insights:

  • 20% of these vendors had at least one credential leaked in the last 90 days,
  • 33% displayed critical vulnerabilities due to outdated systems, and
  • 18% showed poor email configuration that could facilitate phishing attacks.

This cyber event is a reminder to prioritize comprehensive vendor risk management, regardless of the vendor’s service or size. By doing so, you can better safeguard sensitive data and protect your company from potential fallout resulting from a vendor-related data breach.

Lessons from Uber’s Breach and Vendor Risk Management

Our research and analysis of legal service vendors indicate that the industry has room for improvement in terms of cybersecurity. Companies must recognize the potential risks their vendors pose and implement robust vendor risk management strategies to protect sensitive data and maintain public trust.

As businesses continue to navigate the digital landscape, they must prioritize transparency and accountability in the face of data breaches. By investing in stronger security measures, fostering collaboration between CISOs, IT risk professionals, and vendors, and maintaining open communication with affected parties, organizations can work towards a more secure future for all stakeholders involved.

Learn more about building a third-party cyber risk program.

Learn more