Breach Notification , Incident & Breach Response , Security Operations

Breach Roundup: Uber, Nebu and Oakland, California

Also in Focus: ISAAC Regional Council, Western Digital, Bitdefender Survey Mihir Bagwe (MihirBagwe) • April 6, 2023

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. In the days between March 30 and April 6, the spotlight was on: an Uber outside law firm, Genova Burns; Dutch software maker Nebu; the latest in Oakland, California's ransomware incident; a northern Australia regional council; and Western Digital cloud services, which are still down. Plus, Bitdefender reveals that far too many security professionals come under pressure not to disclose data breaches even when there's a legal obligation to do so.

Uber Technologies Inc.

Hackers accessed personal information about Uber drivers, including Social Security numbers, stored by outside attorneys retained by the ride-hailing service. Law firm Genova Burns said hackers gained access to its systems between Jan. 23 and Jan. 31 in a breach affecting an undisclosed number of drivers.

An Uber spokesperson told Information Security Media Group that Genova Burns informed the company of the data breach on March 1. "Impacted information held by Genova Burns included information of certain drivers who had completed trips in New Jersey," the spokesperson said. "These drivers have been notified of the potential impact and offered complimentary credit monitoring and identity protection services."

Nebu

A Netherland maker of market research software must disclose more information about its March 10 hack that potentially affected the personal data of several million Dutch residents. Amsterdam newspaper De Telegraaf reported Thursday that a judge had sided with marketing firm Blauw in a lawsuit requiring Nebu to disclose "extensive information" about the breach and hire an independent forensic investigator. The Dutch Data Protection Authority reportedly has received complaints from 139 companies, including beer maker Heineken, saying they may have been affected by the hack. Blauw said the incident may have affected the data of 780,000 passengers of the Dutch national railway, for which it has conducted customer surveys.

City of Oakland Update

Hackers behind the ransomware attack on the San Francisco Bay Area city of Oakland dumped an additional 600 gigabytes of data they said they stole from the city. The Play ransomware group says it obtained confidential information on current and former employees and on residents who filed a claim against the city or applied for certain federal programs. The city said in a statement Tuesday that it is aware of the data dump and is notifying affected individuals. The LockBit ransomware-as-a-service gang, which asserts it also hacked the city, said it will publish data on Monday unless it receives an extortion payment (see: Play Ransomware Partially Leaks Stolen City of Oakland Data).

Isaac Region, Australia

The Isaac Regional Council, a local government body in the central Queensland area of Australia, disclosed that a ransomware attack on Saturday targeted its internal systems and resulted in reduced customer service capabilities. The council isolated the affected systems. Regional Council CEO Jeff Stewart-Harris said investigators still do not know what information the hackers may have accessed. "The reality is that no matter how we try to improve the resilience of our critical infrastructure against sophisticated cyber incidents, it can still happen," he said.

Western Digital Update

California-based hard disk drive maker Western Digital as of Thursday afternoon hasn't restored its cloud storage offerings after taking them offline Sunday following a hacking incident it first identified March 26. The intrusion compromised a number of the company's systems, from which data had been exfiltrated. Western Digital "is working to understand the nature and scope of that data," the company said in a Monday statement (see: Western Digital Discloses Breach a Day After My Cloud Outage).

Don't Mention the Data Breach

More than 40% of the 400 security processionals surveyed by Bitdefender reported being pressured not to disclose a data breach despite legal obligations to report it. The percentage climbed to 71% among U.S. respondents. All 50 U.S. states have some sort of breach notification law requiring businesses to notify consumers or citizens of breaches, but there is no national law. Slightly more than half of all respondents said they had experienced a data breach as the result of a cybersecurity incident in the last 12 months, and that figure increased to 75% among U.S. respondents, who also said the average total cost of a breach was $4.35 million.