This company attacked AGAIN & this organization did not know they were attacked...

In this week's Cyber Weekly:

1. Uber gets attacked AGAIN
2. Strange data privacy breach
3. A $25 million bill
4. They didn't know they were hacked
5. In case you didn't know

Thanks to all 10,249 subscribers. It really takes a community to fight against cyberattacks. By sharing these newsletters, we can reach more people and help others from becoming a statistic. Share this blog in the top right corner of this blog.

Also, follow me on LinkedIn for daily tech discussions >> Luigi Tiano.

1. Uber gets attacked AGAIN

‍

Uber uses Tequivity for asset management and tracking services. The hackers got through the Tequivity AWS server. It is unsure if they got through due to a misconfiguration of the cloud bucket or if there was an actual compromise to blame. The ransomware gang, UberLeaks, posted data from Uber and Uber Eats on the dark web proving they successfully got through. (darkreading)

This is Uber’s third cyber attack in 6 years. Let’s look at the ride-sharing company’s history with cyber breaches.

• In 2016, Uber was hacked and lost the personal data of over 57 million passengers and drivers. They concealed the hack for over a year.
• In 2018, Uber paid $148 million to settles claims that it was too slow to disclose a hacking incident. At that hearing, the prosecution came to a settlement and decided not to criminally charge the ride-sharing company because the new management had a stronger focus on ethics and compliance.
• Earlier this year, Joseph Sullivan, former Uber CISO from 2016, was found guilty for obstructing justice for keeping the 2016 breach from the Federal Trade Commission.
• On September 15, 2022 Lapsus$ hacked Uber’s internal systems and exposing the data on 77,000 Uber employees online.

‍

My thoughts: Thank you to Uber for giving us so much good material to write about…😉. 2 things stand out. First, companies holding personal identifiable information will continue to be major attack targets. Second, 3rd party due diligence will need get a lot more stringent and will need periodic checkpoints to ensure compliance and safety. Thoughts?

On another note, Uber was never charged criminally for their lack of data privacy measures. However, I think it’s safe to say that they do not have the proper measures in place. It’s 3 cyber breaches and 6 years later and we’re still talking about whether or not they properly secure customer data. In my opinion, the answer is clear.

‍

2. Data privacy breach was not from a ransomware attack

‍

Australian telecommunications company, Telstra, is now apologizing to thousands of Australians for accidently publishing their information online. There were no hackers and no cyber attacks. The company accidently published it online themselves. The communication giant said names, number and addresses were released online and blamed misalignment of databases. (abc.net.au)

This comes after the Optus and Medibank cyber breaches which affected one-third of the Australian population.

‍

My thoughts: I wouldn’t be surprised if we see more drastic change in data privacy regulations in Australia.

‍

3. A $25 million Bill from This Cyber Attack

‍

We got an update from the Sobeys; “IT incident” last month. Employees admitted that they had a ransomware attack. The parent company, Empire Co has not finished their investigation, but estimate that it will cost them $25 million to recover from this attack.

The parent company owns 1500 stores across Canada including Sobeys, IGA and Safeway. They reported an earning of $189.9 million last quarter. (cbc)

‍

My thoughts: We know it will cost a lot for such a big company to clean up a cyber attack. I think we should normalize talking about how they will spend that money. What is that $25 million for? What solutions will be put in place so that we are confident our data is safe? I think that is way more reassuring than just letting us know how much money will be spent. With an average of $600 million in revenue this year, is $25 million even enough?

Here in Canada, individuals and companies are encouraged to report any incidents to the Canadian Center for Cyber Security. https://cyber.gc.ca/en. Is it happening? How are these complaints being managed?

Transparency and awareness is key and should help others in the future.

‍

4. This organization didn’t know they were hacked

‍

LockBit ransomware group claimed to have stolen confidential data from the California Department of Finance. They claim to have stolen databases, confidential data, financial documents and IT documents. They posted evidence of the documents online claiming to have stolen 75.7 gigabytes of data. LockBit demands the department pays the ransom by December 24, 2022. The ransom amount is unknown. (itworldcanada)

‍

My thoughts: Huge reminder that the holidays are right around the corner. Attackers use holidays and long weekends knowing well that many IT staff are not around. Make sure to not click on any unknown links and if you are away, be sure you have the necessary solutions to monitor and alert at first sign of an incident.

‍

5. In case you didn't know...

‍

I started Assurance IT with my childhood friend Ernesto Pellegrino in 2011. Our mission is to help 100,000 companies become cyber resilient through our services and free content. We focus on helping mid-sized organizations with data protection and data privacy. Our primary services include: endpoint management, cloud backup, DRaaS, Microsoft 365 backup, and Quebec's Law 25 training.

‍

‍