Uber Breach Incident Score: Analysis & Impact (UBE4092840111225)

In this Rankiteo incident briefing, we review the Uber breach identified under incident ID UBE4092840111225.

The analysis begins with a detailed overview of Uber's information like the linkedin page: https://www.linkedin.com/company/uber-com, the number of followers: 3170015, the industry type: Internet Marketplace Platforms and the number of employees: 123983 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 808 and after the incident was 764 with a difference of -44 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Uber and their customers.

On 21 November 2017, Uber Technologies, Inc. disclosed Data Breach, Regulatory Violation and Legal Conviction issues under the banner "Uber 2016 Data Breach Concealment and Legal Conviction of Former Security Chief Joseph Sullivan".

Former Uber security chief Joseph Sullivan was convicted for obstruction and misprision in concealing a 2016 data breach from the US Federal Trade Commission (FTC).

The disruption is felt across the environment, affecting Uber’s AWS data storage and GitHub repositories, and exposing Personal data of 57 million Uber users and drivers (names, email addresses, phone numbers) and Driver’s license numbers for ~600,000 US drivers, with nearly 57 million (50 million riders, 7 million drivers) records at risk.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Paid hackers $100,000 to delete data and sign NDAs (misrepresented as bug bounty) and Terminated access to compromised repositories, and began remediation that includes Enhanced access controls, Executive leadership changes and FTC-mandated security improvements post-settlement, and stakeholders are being briefed through Initial concealment, Delayed public disclosure (November 2017) and Apologetic statements from new CEO Dara Khosrowshahi.

The case underscores how Closed (legal proceedings concluded with Sullivan’s conviction upheld in 2025; FTC settlement fulfilled), teams are taking away lessons such as Transparency with regulators and the public is critical, even in the face of reputational risk, Paying hackers to conceal breaches can lead to severe legal consequences (obstruction charges) and Third-party credential management and access controls require rigorous oversight, and recommending next steps like Implement mandatory breach disclosure timelines aligned with regulatory requirements (e.g., GDPR, CCPA), Avoid paying attackers without law enforcement involvement; follow established incident response protocols and Conduct regular third-party security audits, especially for cloud storage and code repositories, with advisories going out to stakeholders covering FTC consent order (2018) mandated biennial audits for 20 years and Public apologies from Uber’s leadership in 2017.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), supported by evidence indicating compromised credentials for Uber’s private GitHub repository (third-party cloud service access). Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with high confidence (90%), supported by evidence indicating poor access controls and credential management for third-party code repositories (GitHub). Under the Persistence tactic, the analysis identified Account Manipulation: SSH Authorized Keys (T1098.004) with moderate to high confidence (70%), supported by evidence indicating compromised credentials for GitHub repository (potential for persistent access via stored credentials). Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (85%), supported by evidence indicating data stored unencrypted in AWS (bypassing encryption defenses) and Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (80%), supported by evidence indicating paid hackers $100,000 to delete the data (attempt to erase evidence of breach). Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with moderate to high confidence (85%), supported by evidence indicating high-value targets such as AWS S3 buckets containing unencrypted user/driver data (attackers located sensitive data). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating data exfiltration such as Yes (data downloaded by attackers) from AWS S3 buckets. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with high confidence (90%), supported by evidence indicating data downloaded by attackers (unencrypted AWS storage accessed via compromised GitHub credentials). Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (0%), Data Destruction (T1485) with moderate to high confidence (70%), supported by evidence indicating paid hackers $100,000 to delete the data (claims of data destruction, though unverified), and Malicious Cyber Activity Against a Non-Government Target (T1659) with high confidence (95%), supported by evidence indicating exposure of PII/driver’s license numbers for 57M users (large-scale privacy impact). Under the Inhibit Response tactic, the analysis identified Data Manipulation: Staged Contents (T1565.003) with high confidence (90%), supported by evidence indicating concealment from FTC and public; misrepresented hacker payment as bug bounty (delayed response via deception). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.