Frontline Insights: Lessons from the Uber 2022 data breach

The 2022 Uber data breach stands as a compelling example of the importance of cybersecurity, revealing the vulnerabilities even major tech companies face. This sophisticated attack underscores the need for robust security measures and highlights the critical role of employee awareness and training in safeguarding sensitive information. Join us as we delve into the intricacies of this cyber 'war story' and extract valuable lessons to help fortify your organization's defenses against future attacks.

With cyberattacks hitting the headlines more frequently and across multiple industries, companies are paying greater attention and investing more in cybersecurity both for their IT systems and operational technology (OT).

But for all the hardware and software barriers available, one of the cyber weaknesses hardest to control is human error, particularly when people are confronted by increasingly sophisticated and complex cyberattacks that are now being assisted by artificial intelligence.

Lax cyber-hygiene on the part of inadequately trained present or past employees, or outsiders such as suppliers who legitimately have access credentials, can unintentionally give malicious actors what they need to penetrate cyber defences.

Failing to keep passwords secure, or responding to phishing emails and social media messages, are two potential areas of weakness. A recent study found more than a third of cyber breaches at critical infrastructure businesses could be traced back to human error.¹

DNV research finds three-quarters (75%) of energy professionals see employees as the weakest link in their organizations’ cybersecurity.² More than a quarter (27%) of the professionals surveyed indicate that their companies do not run sophisticated phishing tests on employees.

Percentage of energy professional who believe artificial intelligence helps hackers to create more sophisticated phishing attempts

^{Figure 1, Source: DNV Cyber - Energy Cyber Priority 2025}

Such concerns highlight how the best defence strategy is good endpoint security, good network security, proper monitoring, threat detection and response, and security awareness.

Some of the threats are highlighted in the sophisticated 2022 cyberattack in which a social engineering technique unlocked the door for a hacker to penetrate the IT network of Uber Technologies, best known for its ride-hailing services.³ It is one of several cyber ‘war stories’ that illustrate the importance of employee awareness and training in cybersecurity.

In this case, a young hacker possibly associated with cybercriminals purchased access credentials stolen from an Uber employee, but discovered the company’s IT network was protected by multi-factor authentication (MFA).

The attacker repeated MFA push notifications until a targeted employee accepted one out of annoyance or confusion.

In the Uber case, the hacker contacted the employee via an online messaging app, pretending to be from Uber to persuade the worker to comply with a fake authorization request. This social engineering method allowed the hacker to gain access to Uber’s intranet.

The hacker found Microsoft PowerShell scripts on a network share, and the scripts had hardcoded privileged access management (PAM) admin credentials. A schematic representation of the attack is shown in the visual below.

Uber appears to have been fortunate in that the attacker seemed interested only in publicizing that he had been able to hack the system: no ransom is reported to have been demanded.

How the 2022 cyberattack on Uber developed

^{Source: DNV Cyber 2025}

Responding to the attack

Uber took several measures to mitigate the 2022 incident and strengthen its security posture:

• Access revocation: Uber identified compromised or potentially compromised employee accounts and either blocked their access or mandated password resets.
• Tool and codebase lockdown: The company disabled affected internal tools and locked down its codebase to prevent unauthorized changes.
• Credential rotation: Access keys to internal services were rotated, and employees were required to re-authenticate to regain access.
• Enhanced monitoring: Additional monitoring was implemented to detect any further suspicious activity.

Broader lessons 

“From an Identity and Access Management (IAM) perspective, the Uber breach exposed weak MFA protections, poor credential management, and excessive permissions. It reinforces the need for stronger authentication, the least privilege access, and secure handling of credentials to prevent similar attacks,” says Pascal van Vugt, Delivery Lead IAM, DNV Cyber. “Beyond the case-specific takeaways, the breach highlighted general challenges that an organization’s cybersecurity experts face around visibility, compliance and efficiency when designing and implementing robust IAM.” 

References 

1 ‘Over two fifths of critical infrastructure organisations have suffered a cyber breach, report finds’, The Engineer, 5 August 2024 [online] www.theengineer.co.uk  

2 ENERGY CYBER PRIORITY 2025: Addressing evolving risks, enabling transformation. DNV Cyber, 2025. 

3 Security update. Uber Technologies, 19 September 2022 [online] www.uber.com