Last week wasn’t an easy one for Big Tech. In the space of seven days both Uber and Rockstar Games were hacked. The transport giant confirmed that its internal Slack messages were infiltrated as well as a tool used by its finance team to manage invoices.
Both breaches highlight the need for companies of any size to not take cybersecurity lightly.
Uber was infiltrated last Thursday which forced it to immediately turn off many of its internal systems, including its Slack and Google Cloud Platform.
Rockstar also had its internal Slack messages accessed, leading to one of the biggest gaming leaks in history, with over 90 videos of pre-alpha Grand Theft Auto 6 (GTA 6) footage surfacing online.
Uber said the infamous Lapsus$ hacking group was to blame for the breach in its systems last week. The group, which also claims to be behind the Rockstar hack, is known for targeting the Brazilian Ministry of Health at the end of 2021. The ransomware attack put millions of citizens’ vaccination data in jeopardy.
Although it is not confirmed that Lapsus$ is also behind the Rockstar hacking, Uber acknowledged the potential link in a statement on Monday.
Early development evidence of GTA 6, one of the most anticipated video games of all time, caused expected frenzy and chatter online – but the two hacks have left experts questioning the safety of technology giants and its customers.
Big Tech should take privacy on employee messaging platforms seriously
Both Rockstar Games and Uber had their Slack messaging platforms infiltrated. Rockstar claims they are unclear on how the “network intrusion” occurred. Uber said an EXT contractor had their account compromised, likely by getting their corporate password purchased on the dark web.
“News of the Uber data breach acts as a reminder that every organisation – even a large corporation with a dedicated security team – is at risk of falling victim to a social engineering attack,” Lawrence Perret-Hall, director at CYFOR Secure, said.
The fact that both companies fell victim to internal messaging systems being hacked has led cybersecurity experts to speak out about the need for stronger security.
Erfan Shadabi, cybersecurity expert at comforte AG, told Verdict: “Gaming organisations should take privacy on employee messaging platforms (where highly sought-after information is stored and exchanged) as seriously as they would user data privacy.”
This should be done by going further than just the “bare minimum level of security and reviewing all service providers frequently,” Shadabi added.
The expert believes a data-centric approach which protects the data itself “rather than the perimeters around it” is the way to go.
Shadabi noted: “With methods such as tokenisation or format-preserving encryption, you obfuscate the sensitive parts and render it incomprehensible and useless to hackers.
“Better yet, data-centric security is not dependent on protected borders and travels with the data.”
Tom Huckle, director of information security and compliance EMEA at cybersecurity firm BlueVoyant, notes that recent attacks against Uber and Rockstar have proven that, even with multi-factor authorisation in place, the additional layer of security can be bypassed.
Huckle explained: “The best defence for companies is a holistic cyber security program that is appropriately resourced and one that continuously reviews the threats against the business, adapts to them and promotes a culture of awareness and healthy scepticism amongst its staff.
“Security is fluid and never static,” he said, “what may work one day as a defence may fail the next.”
GlobalData is the parent company of Verdict and its sister publications.