Tag Archives: uber

Uber Is Having a Really, Really Bad Day

Uber is already struggling to maintain a positive consumer image after a series of PR disasters over the last year.

Wait, what happened?
Yesterday was a tough day for Uber. Everyone’s favorite ride-hailing service was outed for attempting to hide the details of a massive hacking incident that occurred in 2016. This left the personal data of drivers and users exposed, including the names and drivers license numbers of nearly 600,000 Uber drivers in the US, along with the sensitive information of over 57 million Uber users globally.

But wait, there’s more!
So the company had an inept security system, what’s the big deal? Surely we’ve seen this story play out before? Whereas usually, a company would have a few bad days and a PR nightmare before journalists and bloggers slowly move on to the next story, this one is going to sting for a bit. Along with the data breach, the firms CTO was also shown to have paid off the two hackers who had accessed the data to the tune of $100,000 in order to keep the situation quiet. Ouch. We hope Uber’s PR team is ready to deal with the media.

Dig Deeper: BadRabbit is Crippling Networks, 10Fold Clients Have Answers

The Experts Weigh In
In the midst of this catastrophe there are experts cutting through the noise, and giving organizations the information they need in order for their company to not be the next big security breach story. Several 10Fold clients talked to Fox News about the event and how security failures like these are affecting the tech industry and beyond, as well as how firms can avoid or protect themselves from attacks in the future.

Stephan Chenette, CEO of enterprise security firm AttackIQ, gave Fox News a statement alongside several other 10Fold clients, saying that; “What makes this breach particularly damning is the failure of Uber to ethically disclose the breach to its customers.”

Manoj Asnani, vice president of product and design at network security firm Balbix, told Fox News that password security is an ongoing challenge for businesses. “Stolen passwords are one of the most common ways adversaries propagate through the enterprise to steal critical data.”

Zohar Alon, co-founder and CEO of cloud security specialist Dome9, added his comments as well, claiming; “This is yet another case of user error trumping the best security measures readily available today. For an organization as large as Uber, this is inexplicable. This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub,” he added. “Relying on a developer or administrator to follow best practices is foolhardy at scale and the errors seem to be more egregious each and every time a breach makes the headlines.”

Looking for more great insights? Check out some of our other content here.

By Tyler Trainer

Looking for more great insights? Check out some of our other content here, and subscribe to our email list below:

Security Never Sleeps- Uber Breach, LA Cybersecurity

FTC: Uber Failed To Protect 100,000 Drivers In 2014 Hack

“Uber lacking security in several areas”

The Federal Trade Commission had ruled that Uber must upgrade its security systems after reviewing its current programs and finding them lacking. The review revealed evidence that a 2014 data theft had been twice as large as originally reported,where details of 100,000 drivers leaked to an intruder. The leak was made possible when the cybercriminal  was able to view driver data on an Amazon Web Services store in plain text.

Los Angeles plans to launch a cybersecurity threat-sharing group with city businesses

“Expected to lead as part of larger trend between state and business”

The city of Los Angeles has now officially announced a collaboration of cybersecurity threats with businesses that operate in the city. Industry organizations and federal agencies have made certain agreements that threat-share with each other in the past, however none have reached the scope and incorporation of SME’s that Los Angeles is orchestrating. Initial partners include video game production firm Riot Games, law firm O’Melveny and Myers and mall operator Westfield.

Automating cloud compliance

“Headchange needed for quality security”

Security systems are often viewed by individuals and firms as point-in-time activities. Standards and regulations are often based on this model, especially in cloud computing where customers are generally more in flux and rarely static. But in reality, constant compliance, auditing, and assurance programs are the only real way to ensure the viability of your protection.

Greed drives malevolent insider to steal former employer’s IP

“Remote IP theft”

Design and engineering firm Allen & Hoshall has fallen victim to a growing trend in IP crime. Remote theft of company data and ideas is growing, and Jason Needham, after founding the competing firm HNA-Engineering, helped himself to their ideas and research remotely via hacking.

Enjoy your read? Check out our other content here.

10Fold- Security Never Sleeps- 143

Google Just Discovered A Massive Web Leak… And You Might Want To Change All Your Passwords

“Perhaps most dangerous leak of the year so far”

A leak that may end up exposing the user passwords of many popular platforms and applications has been uncovered by a Google researcher recently. Major services indicated to be vulnerable may include Uber, FitBit, and OKCupid.

Beware Google Chrome scam that could inject malware into your computer

“Cybersecurity experts still concerned over continued threat”

A Google Chrome malware program still poses a threat to users after several months of circulation. Proofpoint has officially warned hackers that the program can inject script into inefficiently protected pages, targeting Chrome browsers specifically. It will then rewrite the compromised website to the affected users browser, making the page unreadable and provides a fake issue for the user to resolve,

Stop using SHA1: It’s now completely unsafe

“First real-world collision against SHA-1 hash”

Security researchers have now witnessed the first collision against the SHA-1 hash function, resulting in the duplication of a PDF file with the same signature. The algorithm’s security-sensitive functions are now entirely vulnerable, and should not be used for any secure files.

Enjoy your read? Check out our other content here.

10Fold – Security Never Sleeps – 37

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: HSBC has been hit by a cyber attack causing its personal banking website and mobile application to shut down, only weeks after a systems failure that left thousands of its customers without access to digital services. Researchers at Kaspersky Lab spotted attackers using malicious Microsoft Word documents distributed via spearphishing emails to spread the Black Energy Trojan in Ukraine. Last year was a record year for malware, according to a new report from Panda Security, with more than 84 million new malware samples collected over the course of the year. A bug exposed an Uber driver’s tax information including her name and social security number to all drivers who logged onto their dashboard in what the company calls, a ‘bug.’

HSBC cyber attack brings Internet banking to its knees – Publication: Financial Times – Reporter name: Emma Dunkley

HSBC has been hit by a cyber attack causing its personal banking website and mobile application to shut down, only weeks after a systems failure that left thousands of its customers without access to digital services. The bank said in a statement that it had “successfully defended against the attack, and customer transactions were not affected.” However by early afternoon on Friday its online banking services were still unavailable to some customers. Alex Kwiatkowski, a senior strategist at software group Misys, said the attack was “very concerning” and “shines a bright spotlight” upon HSBC’s systems weaknesses.


BlackEnergy malware deployed using malicious Word docs – Publication: SC Magazine – Reporter name: Robert Abel

Researchers at Kaspersky Lab spotted attackers using malicious Microsoft Word documents distributed via spearphishing emails to spread the Black Energy Trojan in Ukraine. Russian-speaking threat actors in the BlackEnergy APT group have been using malicious Excel and PowerPoint files to spread the group’s malware since last year but Kaspersky’s Global Research and Analysis Team Director Costin Raiu claimed this was the first time Word documents have been used. The BlackEnergy APT group has been actively targeting energy, government and media in Ukraine, and industrial controls systems supervisory control and data acquisition (ICS/SCADA) and energy companies worldwide.


 27% of all malware variants in history were created in 2015 – Publication: CSO Online – Reporter name: Maria Korolov

Last year was a record year for malware, according to a new report from Panda Security, with more than 84 million new malware samples collected over the course of the year. Trojans continued to account for the main bulk of malware, at 51.45 percent, followed by viruses at 22.79 percent, worms at 13.22 percent, potentially unwanted programs such as adware at 10.71 percent and cases of spyware at 1.83 percent.


‘Bug’ Exposes Uber Driver’s Tax Information, Including Name and Social Security Number – Publication: Forbes – Reporter name: Kelly Phillips

It was an über bad day for one driver who had her personal tax information, including her Social Security number, exposed due to what the drive on demand company is calling a “bug.” When Uber drivers logged on to the Uber partner dashboard to check their own 1099 information for 2015, they instead received information relating to someone else: a Florida woman who also drives for the company. The form in question was a federal form 1099-K, Merchant Card and Third Party Network Payments. Technically, drivers for Uber are not employees which is why they fill out the 1099-MISC. The driver’s 1099-K information remained on the Uber dashboard for a short time and it’s not known how many other drivers might have viewed it during that time. When made aware of the error, the company removed the tax tab on the dashboard altogether while the mistake was corrected.