A mid-sized law firm representing Uber has notified an unknown number of its drivers that sensitive data has been exposed and stolen due to a cyber-attack. New Jersey-based Genova Burns disclosed the breach in an email to customers first obtained by The Register.
“We determined that an unauthorized third party gained access to our systems, and certain limited files were accessed or exfiltrated between January 23 2023, and January 31 2023,” reads the notice.
“The investigation determined that information you provided to Uber, including your name and Social Security number and/or Tax Identification Number, was among the impacted data.”
Read more on Uber data breaches: Uber Hit By New Data Breach After Attack on Third-Party Vendor
Genova Burns added that they are currently investigating the incident with law enforcement. The firm said it changed all its system passwords and is offering affected drivers 12 months of complimentary identity monitoring services through Kroll.
According to Krishna Vishnubhotla, vice president of product strategy at Zimperium, an increasing number of businesses rely heavily on third-party services.
“A typical enterprise business uses more than 1000 cloud services and applications, many of which are third-party services.”
However, Vishnubhotla added that the central issue of this practice is the exchange and monetization of sensitive data between different parties.
“Once this happens, it’s challenging for any enterprise to keep track of where this data resides at all times and if it is properly protected.”
As a result, advised Pathlock CEO, Piyush Pandey, “third-party access to core business systems should be managed with the strictest of access controls.”
The executive explained that for public, regulated companies like Uber, third-party access often has specific regulations attached to it to ensure controls are enforced in a highly monitored way.
“The challenge organizations often face with third-party access management is how time-consuming the review process is,” Pandey added.
“To be truly effective, organizations must automate the workflow around third-party access reviews to be more proactive in adjusting policies to reduce risk where possible.”
More information on how companies can defend against similar data breaches is available in this analysis by CyberArk senior vice-president of EMEA, Rich Turner.
Editorial image credit: Ink Drop / Shutterstock.com