What Uber’s Latest Data Breach Means for Third-Party Risk

Uber is in the headlines once again for losing sensitive data. However, this round of data exposure isn’t due to a breach of Uber’s facilities. Rather, New Jersey-based law firm Genova Burns was storing data about Uber’s drivers, including social security numbers, taxpayer identification and other personally identifiable information (PII) when attackers exfiltrated the data earlier this year.

Why did the lawyers need access to PII? The specifics are unclear. Officially, the firm required the data for its legal representation of Uber. That means the only public domain knowledge is the dates attackers bypassed the firm’s security measures, the type of information stolen, and the short-term security fix. This event will undoubtedly become a fascinating case study on third-party risk management. In this article, I’ll explore three important lessons companies can take away from this cybersecurity incident.

1. The Importance of Due Diligence on Business Partners

There is a responsibility to conduct due diligence on the security of partner organizations. In the acknowledgment letter sent to affected drivers, the law firm stated that they “secured the environment by changing all system passwords.” That’s a red flag. Based on that statement, it causes suspicion that the firm is not using multifactor authentication (MFA) or other password best practices. It also raises questions about the length of time the firm intended to store the data and its data disposal procedure.

Did the law firm have security flaws? Probably. But Uber’s review of its security posture is limited to answers received or audits reviewed. Uber likely underwent a thorough due diligence process and wound up in an unfortunate situation. The nature of legal firms draws attention from bad actors, emphasizing the importance of hardening their cybersecurity defenses.

2. How to Determine Data Exfiltration Liability

Liability is a relevant topic. If the law firm had a genuine need to access the sensitive data, then they are liable for the damages of the breach. But, if the PII wasn’t critical for their business proceedings, then Uber’s sharing of the information could be considered negligence.

This mass breach of social security numbers will lead to lawsuits. It’s between Uber and Genova Burns LLC to determine who is ultimately responsible for paying the damages. That said, it’s unlikely that either company’s payments will come entirely out of their own pockets. Cyber liability insurance exists for events of this nature.

3. Handling the Brand Impact of Data Leaks

Finally and most importantly, the impact on brand reputation can be long-lasting. This breach will undoubtedly affect the law firm’s ability to attract large enterprises as customers. Yet, notice how none of the headlines read, “Genova Burns Loses Sensitive Data.” The household name always takes the media hit. Uber has been through several data breach events before, so they know a lot about reputational impact. It makes them skeptical about who they work with.

In conclusion, keeping a continuous watch on third-party risk is vital. The reviews should include the accessed data, whether that data’s needed for normal operations and how it’s secured. Additionally, the two parties should establish liability in the event of a breach. Plus, a strategy should be in place to handle third-party breaches when they eventually occur.

Avatar photo

Jacob Garrison

Jacob Garrison is a security researcher at application security posture management (ASPM) company Bionic, where he researches modern software exploits and creates content to help security teams know what's happening to their code in production. Prior to Bionic, Jacob held various engineering roles at global manufacturing firms Sagetech Avionics, Custom Mechanical Solutions, and Pioneer Pump, Inc.

jacob-garrison has 1 posts and counting.See all posts by jacob-garrison