Few incidents have drawn as much attention as the Uber data breach of 2022. This event not only highlighted significant vulnerabilities within the company's digital identity framework but also underscored vital lessons for the entire industry. As cyber threats evolve at an unprecedented pace, vigilance is more crucial than ever.

The 2022 Uber data breach stands as a compelling example of the importance of cybersecurity, revealing the vulnerabilities even major tech companies face. This sophisticated attack underscores the need for robust security measures and highlights the critical role of employee awareness and training in safeguarding sensitive information. Join us as we delve into the intricacies of this cyber 'war story' and extract valuable lessons to help fortify your organization's defenses against future attacks. 

Frontline Insights: Lessons from the Uber 2022 data breach 

With cyberattacks hitting the headlines more frequently and across multiple industries, companies are paying greater attention and investing more in cybersecurity both for their IT systems and operational technology (OT).  

But for all the hardware and software barriers available, one of the cyber weaknesses hardest to control is human error, particularly when people are confronted by increasingly sophisticated and complex cyberattacks that are now being assisted by artificial intelligence. 

Lax cyber-hygiene on the part of inadequately trained present or past employees, or outsiders such as suppliers who legitimately have access credentials, can unintentionally give malicious actors what they need to penetrate cyber defences

Failing to keep passwords secure, or responding to phishing emails and social media messages, are two potential areas of weakness. A recent study found more than a third of cyber breaches at critical infrastructure businesses could be traced back to human error.1 

DNV research finds three-quarters (75%) of energy professionals see employees as the weakest link in their organizations’ cybersecurity.2 More than a quarter (27%) of the professionals surveyed indicate that their companies do not run sophisticated phishing tests on employees. 

A close up of a screen

AI-generated content may be incorrect., Picture

Figure 1: Two-thirds of energy professionals believe artificial intelligence helps hackers to create more sophisticated phishing attempts. (DNV 2025) 

Such concerns highlight how the best defence strategy is good endpoint security, good network security, proper monitoring, threat detection and response, and security awareness. 

Some of the threats are highlighted in the sophisticated 2022 cyberattack in which a social engineering technique unlocked the door for a hacker to penetrate the IT network of Uber Technologies, best known for its ride-hailing services.3 It is one of several cyber ‘war stories’ that illustrate the importance of employee awareness and training in cybersecurity. 

The attack and its impact 

In this case, a young hacker possibly associated with cybercriminals purchased access credentials stolen from an Uber employee, but discovered the company’s IT network was protected by multi-factor authentication (MFA).  

The attacker repeated MFA push notifications until a targeted employee accepted one out of annoyance or confusion.  

In the Uber case, the hacker contacted the employee via an online messaging app, pretending to be from Uber to persuade the worker to comply with a fake authorization request. This social engineering method allowed the hacker to gain access to Uber’s intranet. 

The hacker found Microsoft PowerShell scripts on a network share, and the scripts had hardcoded privileged access management (PAM) admin credentials. A schematic representation of the attack is shown in Figure 2. 

Uber appears to have been fortunate in that the attacker seemed interested only in publicizing that he had been able to hack the system: no ransom is reported to have been demanded.

Figure 2: How the 2022 cyberattack on Uber developed. (Source DNV)  

Responding to the attack 

Uber took several measures to mitigate the 2022 incident and strengthen its security posture: 

  • Access revocation: Uber identified compromised or potentially compromised employee accounts and either blocked their access or mandated password resets. 
  • Tool and codebase lockdown: The company disabled affected internal tools and locked down its codebase to prevent unauthorized changes. 
  • Credential rotation: Access keys to internal services were rotated, and employees were required to re-authenticate to regain access. 
  • Enhanced monitoring: Additional monitoring was implemented to detect any further suspicious activity.

 

 

Learning point Comments

Learning point

Do not use hardcode credentials in scripts

Comments

  • Do we have sufficient visibility over who or what can access multiple assets and information in our organization?
  • Is our process for governing access to assets and information good enough?

Learning point

Enforce least privilege

Comments

Too much access makes things worse. The credentials the attackers found unlocked way too much. Limit access to only what is necessary. Following the principle of ‘least privilege’ could have limited the damage.

Learning point

Ensure employee cybersecurity awareness as a critical pillar of sustained business resilience

Comments

  • The Uber case highlights that multi-factor authentication (MFA) fatigue/’bombing’ works.
  • Do not leave credentials lying around. The attacker found admin passwords in a script on a shared drive: that is a big ‘no’. Secrets should be stored securely, never hardcoded or exposed.
  • Just having MFA is not enough – it needs to be smarter. Uber’s attacker got in by spamming push notifications until someone gave in. Tactics like number matching or limiting push attempts can help prevent this.
  • People are part of your security. The Uber attack started with social engineering. Regular training and clear guidance on what to do in the event of suspicious activity could have made a difference.

Learning point

Use credential management tools

Comments

For example, privileged access management (PAM) for password rotation and vaulting, while dynamically using within scripts.

Learning point

Monitor for lateral movement

Comments

  • Detect unusual access/activity.
  • Once an attacker is in, movement should be harder. The attacker in the Uber case jumped between systems with little resistance. Better segmentation and tighter access controls can stop that kind of lateral movement.

Learning point

Secure internal tools and shares

Comments

Do not leave sensitive scripts lying around. Always follow least privilege principles, encrypt secrets, and use secret managers or environment variables instead of embedding sensitive information in code.

Broader lessons 

“From an Identity and Access Management (IAM) perspective, the Uber breach exposed weak MFA protections, poor credential management, and excessive permissions. It reinforces the need for stronger authentication, the least privilege access, and secure handling of credentials to prevent similar attacks,” says Pascal van Vugt, Delivery Lead IAM, DNV Cyber. “Beyond the case-specific takeaways, the breach highlighted general challenges that an organization’s cybersecurity experts face around visibility, compliance and efficiency when designing and implementing robust IAM.” 

Challenge Key questions

Challenge

Visibility

Key questions

  • Do we have sufficient visibility over who or what can access multiple assets and information in our organization?
  • Is our process for governing access to assets and information good enough?

Challenge

Compliance

Key questions

  • Do our digital identity processes and systems meet the growing number of national, regional, and industry regulatory requirements that we face
  • Because of issues with our digital identity processes and systems, are we sure we will pass our next audit?

Challenge

Efficiency

Key questions

  • Are our digital identity processes and systems efficient enough?

Who or what has access to what?

Whitepaper addressing the challenges of securing digital identities – both human and non-human