Uber breached again

Josh KlascoBlog

We all love a good serial drama. The season four premiere of Succession saw a record-breaking 2.4 million viewers for HBO Max. In the world of cybersecurity, people are watching the unfortunate events unfolding around Uber as a drama of its own. 

Here’s a quick recap of recent episodes:  

A few years ago (2016), Uber was hit by a ransomware attack. They paid the ransom but were afraid that their investors/ users would frown on the whole affair — so they decided to keep the whole thing under wraps. They even went as far as to have the hackers sign a non-disclosure agreement. The whole affair came to light in 2019, and in 2022 the CISO in charge of the cover-up was convicted of obstruction of the Federal Trade Commission and misprision of a felony. Since November 2022, Uber’s data has been exposed three more times.  

Uber’s most recent breach came through a third-party law firm, Genova Burns. Genova Burns is a midsize law firm out of the East Coast. Like many midsized companies, they are part of a larger supply chain.  A breach in any part of the supply chain can put the data of every link at risk. This is exactly what happened with Uber.  

Genova Burns is one of the many law firms that Uber works with. They focus on labor and employment law. Obviously, a law firm that focuses on employment and labor will have access to employees’ sensitive information. So, when the walls of their cybersecurity were breached, the hackers had access to the information from all their clients. 

At this point in the blog, it’s only fair to tell you that we buried the lead a little in the beginning. Yes, Uber was breached (again). And yes, the sensitive information of their drivers is at risk, as a result. But the crux of the story and the lesson to be learned comes from Genova Burns. When you’re part of a supply chain, other companies are trusting you with their data or product. We all know the saying that a chain is only as strong as its weakest link.  

An economy is an ecosystem. We all know this is true (some more consciously than others), but we don’t often think about business symbiosis. Genova Burns was probably over the moon when they landed Uber as a client. Were it not a violation of attorney-client privilege, they’d certainly have the phrase “WE WORK WITH UBER” tattooed all over their website. At the minimum, you can be sure that they tell prospects that they work with a major ride-share company. But now that Uber has suffered another public embarrassment for which Genova Burns is directly responsible (you could say that Uber is at fault for not being thorough enough in auditing the cybersecurity of the companies they work with — which, while possibly true, doesn’t let Genova Burns off the hook for having weak security irrespective of Uber), it’s hard to imagine that Uber will be excited to work with Genova Burns in the future.  

The bottom line of this story is that Genova Burns is the real victim of this story. No matter how much embarrassment they face, Uber is going to be fine; with ~70% control of the market, they’re on the winning side of a ride-share duopoly. But Genova Burns isn’t lucky enough to have such a strong hold on a niche market. Recovering from the financial and reputational damage of this breach spells a hard few months (even years) for Genova Burns. This could have all been avoided with better cybersecurity. 

This is one of the things that we think about here at Coro. When it comes to cybersecurity vis-a-vis the economy, a high tide raises all ships. We dedicate our focus to protecting small to midsized companies like Genova Burns. In doing so, we’re working to stop this sort of compromise magnification from rippling through the supply chain. 

If your company works as a third party in any capacity, it’s time to make sure your security is up to snuff. Coro offers a single platform that protects your emails, data, cloud apps, devices, and even users. We are completely automated and intentionally affordable. Don’t be the weak link in the supply chain. Try Coro today.