An executive at rival ride-sharing company Lyft may be implicated in a massive breach of drivers’ records and data from Uber, Reuters reported late Thursday.
The breach of 50,000 driver records was disclosed by Uber in February, but actually happened in May 2014, and was discovered by Uber in September 2014. The company’s lawsuit now says the data was obtained via a company security key accessible on a public website, and people familiar with the matter told the news service that Lyft’s chief technology officer, Chris Lambert, has been implicated.
Lyft pushed back against that charge, saying in a statement to the Wall Street Journal that it had already investigated the matter and found no evidence Lambert was involved.
“We investigated this matter long ago and there are no facts or evidence that any Lyft employee, including Chris…had anything to do with Uber’s May 2014 data breach,” Lyft spokesman Brandon McCormick told the paper.
But Uber said they have evidence linking Lambert to the breach, said people familiar with the matter. The most significant claim is that Lambert was allegedly directly linked to a Comcast IP address that was used to access the data. Uber had to sue to get that subscriber data from Comcast, which it did under a “John Doe” type lawsuit, often used when a defendant’s identity is unknown.
A federal magistrate judge in San Francisco approved Uber’s request for a subpoena for that information in July.
“This Comcast IP address is associated with somebody who had been scraping driver data from the Uber website,” Uber attorney James G. Snell, of Perkins Coie LLP, told the judge at the time. “It matters who that is. If this was a competitor.”
Uber’s case says the breach violated the both the federal Computer Fraud and Abuse Act and a separate California law that provides similar protections.
“The Comcast IP address is the only IP address that accessed the GitHub post that Uber has not eliminated” from suspicion, the company said in court filings. Neither Lambert nor his attorneys, San Francisco law firm Boersch Shapiro LLP, responded to requests for comment.
McCormick wouldn’t confirm that IP address belonged to Lambert, but told Reuters that Uber allowed the records to be publicly accessible for long stretches of time around the time the breach happened.
“Uber allowed login credentials for their driver database to be publicly accessible for months before and after the breach,” he told the news service.