Panic on board for Uber in the stock market
It was an act of hacking at Uber that a young adult claimed. The action sent its stock plummeting on Wall Street on Friday, Sept. 16, and prompted cybersecurity experts to remind people how poorly protected many large companies are.
“We have no evidence that the incident compromised any sensitive user data,” the chauffeured vehicle (VTC) booking platform said Friday, Sept. 16, adding that all of its services and mobile app were “operational.”
The Uber group mentioned Thursday evening, September 15, a “cybersecurity incident,” saying it was “in contact with the authorities” about it.
Friday, September 16, Uber shares were down 3.41% at USD 32 after having lost up to 6.79%.
According to the New York Times, a young hacker who says he is 18 years old obtained access codes to Uber’s internal network by posing as a member of the technical team to an employee, and thus to the intranet, source code and emails, according to the newspaper, which received screenshots from the hacker to support its claims.
A team of cybersecurity specialists also said they were in contact with the man who presented himself as the hacker.
The hacker managed to determine a valid username and password, says Graham Cluley, a cybersecurity analyst, in a blog post Friday, Sept. 16.
The hacker also mentioned “I bombarded an employee with multifactor authentication requests”, until the person gave in and gave him access out of “fed up”.
“The human is often the weakest link,” recalled Ray Kelly of Synopsis Software Integrity Group, a California-based IT infrastructure company, “groups spend a lot of money on hardware and security tools, but employees are not sufficiently trained.”
According to Keeper Security, U.S. companies suffer 42 cyberattacks a year, three of which are successful.
It’s an incident that comes as the trial of former Uber IT security chief Joe Sullivan, accused of covering up a 2016 cyberattack that allowed hackers to get their hands on personal data of about 57 million users of the platform, is taking place this week in San Francisco.
According to the indictment, Joe Sullivan, fired in November 2017, had also arranged for a USD 100,000 ransom payment to the hackers behind the attack.
The case was not revealed until a year later, when Uber reached an out-of-court settlement with prosecutors in 50 U.S. states, incorporating USD 148 million in compensation, in total, for delaying disclosure of the attack to the regulator and the public.
Identified by U.S. authorities, the two hackers behind the cyberattack were arrested and pleaded guilty to extortion before a federal judge in California in 2019. Their sentences have not yet been handed down.
Joe Sullivan’s trial is seen as a test of how the U.S. justice system views the responsibilities and obligations of cybersecurity specialists within companies.