Earlier this year, Uber revealed that as many as 50,000 of its
drivers' names and their license numbers had been improperly
downloaded. An investigation by Uber determined that an Internet
address potentially associated with the breach can be traced to
Lyft's technology chief, Chris Lambert, Reuters reported in October.
Department of Justice spokesman Abraham Simmons said on Wednesday he
could not confirm or deny a criminal probe. No one has been accused
of any wrongdoing, and it is unclear whether anyone will ultimately
be charged in connection with the breach.
A recently hired attorney for Lambert, former federal prosecutor
Miles Ehrlich, said Lambert "had nothing to do" with the breach.
"Given that Uber apparently lost driver data, a law enforcement
investigation is to be expected," Ehrlich said. "And the benefit is
that the culprit here is going to be identified - and that's going
to remove Chris' name from any conversation about Uber's data
breach, as it should."
In a statement on Friday, Lyft said "we have not been contacted by
the DOJ, U.S. Attorney's office or any other state or federal
government agency regarding any investigation."
Uber declined to comment. The people familiar with the matter could
not be named because they were not authorized to speak publicly.
SEARCH FOR HACKER
Lyft is much smaller than Uber, which operates in more than 300
cities in 67 countries and has raised $7.4 billion from investors.
The companies, based in San Francisco, compete fiercely for drivers
Uber learned last year that someone downloaded its driver database,
which should have been accessible only with a digital security key.
A search for that key turned up a copy on the code-development site
GitHub, where it had been left by mistake.
Uber then obtained information from GitHub about who had connected
to that page before the breach and found only one Internet Protocol
address that did not belong to an Uber user or have another
plausible explanation, according to court documents.
Uber filed a civil lawsuit in San Francisco federal court in
February in an attempt to unmask the perpetrator. The company's
court papers claim that an unidentified person using a Comcast IP
address had access to the security key.
On its own, Uber investigated that address and determined that it
had been assigned to Lambert, Reuters reported in October.
A U.S. judge ruled that Uber could further probe the IP address,
saying it was "reasonably likely" that such an inquiry could help
identify the hacker. That ruling is on hold pending an appeal.
[to top of second column]
Attorneys for the unnamed Comcast subscriber have pointed out in
court that the data breach was conducted from a different IP address
than the Comcast address that accessed the security key. Lyft said
that Uber allowed the key for the database "to be publicly
accessible for months before and after the breach."
The IP address the hacker used is associated with Anonine, a virtual
private network service based in Sweden that is known for vigorously
protecting the privacy of its users, two people familiar with the
situation told Reuters.
Ehrlich said Lambert offered to provide Uber with a sworn statement
that he had nothing to do with the breach, made under penalty of
Lambert signed the statement over the summer, a separate source
familiar with the situation said. In it, Lambert also said he was
not aware of anyone who has copies of Uber's database, and that he
did not instruct anyone to access it, the source said.
However, Lyft and Ehrlich declined to confirm or deny that Lambert's
Comcast address connected to the GitHub page containing the key.
They also declined to give details about Lyft's internal
investigation of the matter.
Lyft reiterated on Friday that it investigated the matter "long ago"
and concluded "there is no evidence that any Lyft employee,
including Chris, downloaded the Uber driver information or database,
or had anything to do with Uber's May 2014 data breach."
Uber's lawsuit alleges the hacker violated civil provisions of the
federal Computer Fraud and Abuse Act, as well as a similar
California law. It is unclear if the leaked driver information was
ever used by the hacker or anyone else.
(Editing by Jonathan Weber and Matthew Lewis)
[© 2015 Thomson Reuters. All rights
Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.