Uber gave sensitive data on drivers to a law firm representing the company in legal actions, but the data appears to not have had adequate security protections.

4 Min Read
Legal scales on digital background
Source: Sikov via Adobe Stock

A law firm representing Uber Technologies has notified an unknown number of its drivers that sensitive data, including their names and Social Security numbers, has been stolen by cyberattackers.

It's the third data breach in six months for the ride-share giant.

Law firm Genova Burns LLC, based in Newark, NJ, first noticed suspicious activity at the end of January, and — after an investigation by outside specialists — discovered that its systems had been compromised and data on an undisclosed number of Uber drivers had been stolen, according to a letter published online on April 4. Uber sent the information to the law firm in connection with its legal representation, the letter stated.

Genova Burns did not explain why the law firm needed drivers' personally identifiable information (PII) and did not respond to multiple requests for comment.

"Upon learning of the event, we investigated to determine the nature and scope of the incident and secured the environment by changing all system passwords," the law firm said in the letter sent to Uber drivers. "We also notified law enforcement and are cooperating with its investigation. We will be taking additional steps to improve security and better help protect against similar incidents in the future."

Some major breaches have targeted legal firms, which typically hold very sensitive data and often do not have a dedicated information-security director. In January and February, two cybercriminal campaigns — GootLoader and SocGholish — hit six different law firms with cyberattacks. Notably, the cyberattackers behind GootLoader used search terms that refer to contracts, agreements, and other legal forms as bait in a drive-by download campaign.

By using malicious search engine optimization techniques, the attackers in that case lured potential victims to malicious sites, which then attempt to compromise the user's machine with their malware, says Keith Jarvis, a senior security researcher at Secureworks' Counter Threat Unit (CTU), who adds that it's unclear if the Uber data was specifically targeted or just caught up in such an effort.

"We do not know if this targeting is intentional or incidental, but it has been effective at ensnaring organizations in legal services," he says.

Hackers Love to Hate Uber

Uber has been a frequent target of hackers. The ride-sharing service provider had previously leaked information on 50,000 drivers and their license plates in May 2014, followed by a more serious breach in October 2016, when cybercriminals gained access to the private data of 57 million Uber users. In 2022, two more attacks — one through a third-party cloud provider — successfully captured sensitive data, and one resulted in the company's CISO resigning.

In the latest attack, Uber confirmed the breach, but directed questions back to its law firm.

"These drivers have been notified that their Social Security number and/or tax identification number have been potentially impacted and [were] offered complimentary credit monitoring and identity protection services," Uber said in a statement. "Genova Burns indicates that they are not aware of any actual or attempted misuse of the information, and confirmed that they are taking additional steps to improve security and better protect against similar incidents in the future."

The law firm first detected the attack on Jan. 31, and, following an investigation by an unnamed third-party forensics and data-security specialist, discovered that its data had been accessed and exfiltrated during the week prior to discovery.

"On March 1, 2023, we determined that information related to you [the Uber drivers] was contained in an impacted file, after which we notified Uber," Genova Burns stated in the letter, published by The Register. "At this time, we are unaware of any actual or attempted misuse of your information as a result of this incident."

Genova Burns joins a growing group of law firms that have become victims of cyberattackers. In 2021, attackers accessed systems at Campbell Conroy & O'Neill, a law firm with hundreds of major corporate clients, that included names, birthdates, driver's license numbers, Social Security numbers, passport numbers, and even medical information.

While most cybercriminals are opportunistic attackers, law firms often attract unwanted scrutiny, says Secureworks' Jarvis.

"For the minority of cybercriminal attacks where a victim is targeted, organizations with access to large amounts of third-party data, such as law firms, present a valuable target," he says. "Law firms also frequently fit the profile of small to midsized organizations with a sizable IT footprint but no dedicated security resources."

Over the past few years, nation-state groups have targeted law firms to uncover information on their clients' intellectual property and technologies in development.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights