|
 In February, Uber revealed that as many as 50,000 of its drivers'
names and license numbers had been improperly downloaded, and the
company filed a lawsuit in San Francisco federal court in an attempt
to unmask the perpetrator.
Uber's court papers claim that an unidentified person using a
Comcast IP address had access to a security key used in the breach.
The two sources said the address was assigned to Lyft's technology
chief, Chris Lambert.
The court papers draw no direct connection between the Comcast IP
address and the hacker. In fact, the IP address was not the one from
which the data breach was launched.
However, U.S. Magistrate Judge Laurel Beeler ruled that the
information sought by Uber in a subpoena of Comcast records was
"reasonably likely" to help reveal the "bad actor" responsible for
the hack.
On Monday, Lyft spokesman Brandon McCormick said the company had
investigated the matter "long ago" and concluded “there is no
evidence that any Lyft employee, including Chris, downloaded the
Uber driver information or database, or had anything to do with
Uber’s May 2014 data breach."
 McCormick declined to comment on whether the Comcast IP address
belongs to Lambert. He also declined to describe the scope of Lyft’s
internal investigation or say who directed it.
Lambert declined to comment in person or over email.
Attorneys for the Comcast subscriber, who is not named in court
documents, did not respond to an interview request on Monday.
In an email on Monday, an Uber spokeswoman declined to comment on
any aspect of the case beyond what is in court filings, including
what led the company to believe that more information about the
Comcast subscriber might lead them to the hacker.
Uber's lawsuit alleges the hacker violated civil provisions of the
federal Computer Fraud and Abuse Act, as well as a similar
California law. It is unclear if the leaked driver information was
ever used by the hacker or anyone else.
According to documents filed in the case, the company learned months
after the hack that someone had used an Uber digital security key to
access the driver database. A copy of the key was inadvertently
posted by Uber on one of its public pages on the code development
platform GitHub in March of 2014, prior to the breach, the court
filings show, and remained there for months.
After Uber discovered the unauthorized download, it examined the
Internet Protocol addresses of every visitor to the page during the
time between when the key was posted and when the breach occurred,
according to court documents. The Uber review concluded that "the
Comcast IP address is the only IP address that accessed the GitHub
post that Uber has not eliminated" from suspicion, court papers say.
The numeric Comcast IP address and some other details have been
redacted from court filings, so Reuters was unable to independently
assess whether there was a connection between Lambert and the
Comcast IP address. The two sources, however, said Uber researched
the address and discovered that it showed up elsewhere in Internet
postings associated with Lambert, and that the address was assigned
to his name.
Lawyers for the unnamed Comcast subscriber have pointed out in court
that the web page containing the key was publicly available and that
anyone could have visited the site without violating any laws. They
also stressed that the data breach stemmed from a different IP
address.
[to top of second column] |
In his statement on Monday, Lyft spokesman McCormick noted that
"Uber allowed login credentials for their driver database to be
publicly accessible for months before and after the breach."
The two sources said that the address from which the hack was
launched is associated with a virtual private network service. One
of them added that the service is based in a Scandinavian country
and is known for vigorously protecting the privacy of its users. The
hacker's numeric IP address is redacted from court papers.
In July, the federal magistrate judge in San Francisco approved
Uber's request for a subpoena granting the company access to the
Comcast subscriber's identity, source of payment and other
subscription details. The subpoena also requires Comcast to disclose
information connecting the subscriber to certain other IP addresses
and to the GitHub web pages.
Attorneys for the unnamed Comcast subscriber appealed to the 9th
U.S. Circuit Court of Appeals, and Beeler put her ruling on hold
pending the outcome.
In fighting the subpoena, the subscriber's attorneys asserted in
court that Uber has improperly focused on their client instead of
other possible perpetrators of the breach.
They noted that automated web crawlers also visited the site with
the security key. Google and other search engines use such crawlers
to visit and gather information from web pages for indexing and
caching. One of those crawlers could have saved the key somewhere
else, the subscriber's attorneys argued in court filings, where it
could have been accessed by the hacker.
The attorneys also suggested that a disgruntled Uber engineer could
have taken the driver data to a new job, as it would be valuable for
a competitor.
In her ruling, Beeler concluded there was "no evidence" that the key
was available anywhere else online other than the place Uber
inadvertently posted it.
Lyft, with a valuation of $2.5 billion, is much smaller than rival
Uber, valued at $51 billion, based on previous funding rounds. The
companies compete fiercely for drivers and customers.
Lambert has been Lyft’s CTO since 2012, according to his LinkedIn
page. Prior to that, he was a software engineer at Google for 5
years, working on mobile maps and Google location.
(Reporting By Dan Levine and Joseph Menn; Editing by Sue Horton and
Amy Stevens)
[© 2015 Thomson Reuters. All rights
reserved.]
Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
