Sep 19, 2022 - Economy

Employee cellphone attacks pose new threat to companies

Illustration of a smartphone with an angry face multiplying into many smartphones.

Illustration: Brendan Lynch/Axios

Workers are being tricked into giving up their digital credentials through their most trusted device — their cellphones.

Why it matters: Companies are now more vulnerable than ever for large scale hacks as employees work from home and use their personal devices.

Driving the news: Uber is investigating a hack that compromised its internal systems — including Slack as well as its source code — after a contractor’s personal device was infected with malware, the company said today

  • The attacker (or attackers) is believed to be affiliated with a group which has also breached companies including Microsoft and Samsung this year and claimed responsibility for an unprecedented leak of Grand Theft Auto footage from an unreleased game. 

What’s happening: Managing threats has become harder as more people work from home and use their personal devices to do work, or their work devices to do personal things.

  • Targeting workers through phone-based phishing campaigns also suggests hackers have found an efficient way to breach bigger companies that have more layered and sophisticated cybersecurity protections, says Sam Rubin, vice president of North American security consulting at Palo Alto Networks. 

What they’re saying: Security teams are struggling to keep up with “an avalanche” of apps, accounts and credentials, personal devices and data, Jaime Blasco, cofounder and CTO at Nudge Security, tells Axios.

The big picture: In his whistleblower complaint, ex-Twitter security chief Peiter "Mudge" Zatko claimed half of the company's 7,000 employees have wide access to the company's internal software — out of necessity.

  • "They don’t know what data they have, where it lives or where it came from, and so unsurprisingly they can’t protect it," Zatko told senators during a hearing last week. 

Our thought bubble: Companies have been investing so heavily on keeping bad actors out that it’s both easy to underestimate and to undertrain employees on cybersecurity.

Go deeper