Investigators looking into last year's data breach and theft of
drivers' records from Uber Technologies Inc. have found indications
implicating an executive at rival ride-hailing app Lyft Inc., said
people familiar with the matter.
The Uber investigators believe the intruder used a company
security key accessible on a public website to access as many as
50,000 driver records in May 2014, Uber said in court records in a
lawsuit related to the breach. Uber discovered the breach in
September 2014 and disclosed it in February.
Lyft denied that the executive in question, Chief Technology
Officer Chris Lambert, or any of its employees were involved in the
breach.
"We investigated this matter long ago and there are no facts or
evidence that any Lyft employee, including Chris…had anything to do
with Uber's May 2014 data breach," Lyft spokesman Brandon McCormick
said in a written statement.
Uber and Lyft are bitter rivals that have poached drivers from
each another, co-opted each other's innovations and competed to
raise billions of dollars in capital. Uber operates in more than
330 cities world-wide and Lyft in 65 cities in the U.S. Last month,
Lyft teamed up with Chinese ride-sharing startup Didi Kuaidi Joint
Co. to allow users of either app to hail rides the other's drivers,
in a move regarded as an alliance against Uber.
Uber's suspicions that a Lyft executive was involved in the
breach were earlier reported by Reuters on Thursday.
In the wake of the data breach Uber filed a "John Doe" lawsuit,
a type of legal action often used when the defendant's identity
isn't known. Uber lawyers persuaded a federal judge in that case to
order Comcast Corp. to release the records of a Comcast
Internet-service subscriber who Uber claims appears to be connected
with the breach.
Attorneys for the subscriber, who isn't named in court records,
are appealing the judge's order, according to court documents,
saying it "would cause embarrassment and reputational harm" to
their client.
The subscriber's attorneys, from San Francisco Bay Area law firm
Boersch Shapiro LLP, didn't respond to requests for comment. On its
website, Boersch says it has worked for such high-profile clients
as American Express Co. and Qwest Communications International
Inc.
Uber investigators believe they found evidence linking Mr.
Lambert to the incident, which goes back to early 2014 and involved
several steps, according to the people familiar with the
matter.
Uber's investigation found that the intruder had gained access
to a company database by using a security key that an Uber employee
had accidentally posted on a public GitHub page in March 2014.
GitHub is a website that programmers often use to swap bits of code
while building software.
To mask his or her identity, the intruder used Anonine, a
Swedish service that lets users browse the Internet anonymously,
Uber attorneys said in court records. Anonine says it doesn't
maintain user records.
Uber also won a subpoena for GitHub records on who visited the
page hosting the security key, the company said in court records.
Uber believes the records that the visitors to the page were either
Uber engineers; linked to "bots," or computers that troll the
Internet automatically visiting websites; or an Internet address
registered to Comcast, according to a court transcript.
Uber found that the same Comcast user had previously scraped
data from its website holding driver information, an Uber attorney
said at a court hearing.
"This Comcast IP address is associated with somebody who had
been scraping driver data from the Uber website," Uber attorney
James G. Snell, of Perkins Coie LLP, told U.S. District Judge
Laurel Beeler in San Francisco in July. Before the judge
interjected, Mr. Snell said, "It matters who that is. If this was a
competitor."
Following an Uber request, Judge Beeler ordered Comcast to tell
Uber the subscriber's identity. The unidentified subscriber has
appealed the order. Investigators also checked the Internet address
against several databases, and found links to Mr. Lambert,
according to the people familiar with the matter.
In its statement, Lyft said neither Mr. Lambert nor anyone else
at the company "downloaded the Uber driver information." The
statement said that "Uber allowed login credentials for their
driver database to be publicly accessible on GitHub for
months."
The Uber-Lyft rivalry extended to the courts last year when Lyft
sued Travis VanderZanden, its former chief operating officer, for
allegedly breaching a confidentiality agreement he signed upon
joining the company.
Lyft argued that Mr. VanderZanden, who joined Uber a year ago,
violated his contract by downloading confidential documents
containing financial projections and product plans to his personal
Dropbox account before his departure.
Mr. VanderZanden denied the allegations last year in a series of
Tweets. The lawsuit is still pending.
Write to Danny Yadron at danny.yadron@wsj.com and Douglas
MacMillan at douglas.macmillan@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires
(END) Dow Jones Newswires
October 08, 2015 21:55 ET (01:55 GMT)
Copyright (c) 2015 Dow Jones & Company, Inc.
Comcast (NASDAQ:CMCSK)
Historical Stock Chart
From Mar 2024 to Apr 2024
Comcast (NASDAQ:CMCSK)
Historical Stock Chart
From Apr 2023 to Apr 2024
