Uber has had another security breach happen this year that lends itself as a strong learning opportunity for small businesses. The company had information involving the source-code for mobile device management (MDM) platforms Uber uses stolen along with personally identifiable information (PII) for over 75,000 employees. A malicious actor targeted a third-party that Uber works with to gain access to their systems that held sensitive business information, and once that business was compromised, the hacker had access to the information they had on Uber. By learning about this situation, small businesses can plan their third-party risk management better and learn some best practices for defending the data they must give to outside companies.
How Did the Attack Work?
The hackers focused their attack on a company called Tequivity because of their relationship with Uber. They gained access to Tequivity’s AWS backup server that held all of the stolen information. It is not immediately clear if the cloud server was misconfigured or if the attacker stole credentials to access the backup server, but once inside, they stole employee PII, MDM platform information, and other IT related data. The highlight for small businesses here is that Uber themselves did not directly get compromised, and there was little they could do stop the initial attack targeting the third-party company they work with.
Key Lessons
Small businesses often need to work with many third-party companies to get their work done. Backup services, accounting software, and subscriptions for needed tools are just a few examples of outside companies that will have access to your information once you give it to them. Therefore, it is possible for any small business to find themselves in the same position as Uber, even if they take the proper mitigation precautions. Small businesses should make sure they are keeping track of what information is given to which third parties and which contractors have access to their systems or sensitive information.
Mitigation Strategies
The first step to defending your own company from a similar situation to Uber’s is to manage third-party access to sensitive company data. Often, it can be tempting to give a third-party similar access rights as an employee, but contractor’s and other businesses should have just as many or more restrictions and security services monitoring their data access than employees. Your small business can also strategize how to handle a security breach involving individual partners by thinking through what data they have access to, how a breach involving that partner would affect the business, and the immediate steps that would need to be taken to prevent as much damage as possible.
Summary
It is important to remember that the attacks that have targeted Uber could focus on anyone, and if small businesses do not take the initiative to learn from the mistakes of larger companies, then it becomes likely that they will suffer similar attacks. Our team of IT specialists here at Robinett Consulting have seen the threat landscape for small businesses evolve over decades, and we want to bring that knowledge to your company, so you can learn the best practices for keeping your data safe from hackers. If you feel your company needs to take a closer look at its security posture to better avoid attacks, then we’re waiting to hear from you today!
