Uber Hacks Past and Present Hang Over Ex-Security Chief’s Trial

Uber Technologies Inc. is embroiled in another cybersecurity debacle just as the ride-hailing giant attempts to move on from a data breach from 2016.

On Thursday, a hacker co-opted an Uber staff member's Slack account and gained access to part of the company's Amazon and Google-hosted cloud infrastructure. The San Francisco-based company, which confirmed the hack, is still scrambling to evaluate the extent of the damage.

The latest breach comes as Chief Executive Officer Dara Khosrowshahi testifies Friday at the trial of Uber's former security chief, Joe Sullivan, who is facing criminal obstruction charges for his role in the company's response to a hack six years ago that exposed millions of riders' names, emails and phone numbers as well as hundreds of thousands driver's license numbers. Uber didn't disclose the breach until a year later and said it paid the hackers $100,000.

In both cases outsiders accessed Uber's account with HackerOne Inc. Uber uses its HackerOne account to receive vulnerability disclosures from ethical hackers, in return for payment, or “bounty.” Despite these apparent hallmarks, multiple cybersecurity experts told Bloomberg they didn't think that the breach revealed Thursday was related to the ongoing trial.

“The trial seems to be a red herring and unrelated,” said Corben Leo, a security researcher and chief marketing officer at Zellic, a blockchain security firm. “This hacker wants what 99% of young, immature hackers want: money and fame.”

The breadth and depth of the intruder's access is still unknown. “And that's exactly why it is terrifying,” Leo said. “The hacker has clearly accessed files related to the bounty program. What's worse is that the hacker had access to Uber's AWS environment, which most likely held customer data.”

The company, which said on Twitter it has contacted law enforcement, froze some internal systems including Slack communications while it investigates the hacker's claims.

In a blog post Friday afternoon, Uber said it has “no evidence that the incident involved access to sensitive user data (like trip history).” All of Uber's ride hailing, food delivery and freight services are operational, it said, adding that internal software tools that were taken down as a precaution yesterday are coming back online today.

“Regardless of the trial outcome, the ability for an individual to gain the level of apparent access they did through well-known social engineering techniques which allowed them to access an internal company VPN is alarming,” said Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks.