Eight months ago, Uber publicly revealed it had suffered a major data breach of its database. During the attack, which took place in early 2014, roughly 50,000 Uber drivers’ names and license numbers were downloaded. The ride hailing service’s legal investigations into the hack led to an IP address which it believes could identify the person responsible. An address that two sources familiar with the matter claim was assigned to the chief technology officer of the company’s biggest US rival, Lyft.
After Uber disclosed the hack in February, the company filed a lawsuit in the San Francisco federal court in an effort to unmask whoever was behind the attack. According to Uber’s court papers, an at-the-time unidentified person using a Comcast IP address had access to a security key used in the breach. The two sources say this IP address could be traced back to Chris Lambert, Lyft’s CTO, according to Reuters.
It’s been pointed out that the court papers draw no direct correlation between the IP address and the person responsible for the hack. Uber obtained the address through a process of elimination by working through all the IPs which accessed a critical security key that had accidentally been deposited on the public code-sharing platform GitHub in March of 2014. The actual IP address associated directly with the breach was one used by a Virtual Private Network service in Scandinavia. However, the Judge in the case, Laurel Beeler, said the information sought by Uber in a subpoena of Comcast records was "reasonably likely" to help reveal the "bad actor" behind the breach.
In response to the allegations, Lyft spokesman Brandon McCormick said that the company had investigated the matter "long ago" and that “there is no evidence that any Lyft employee, including Chris, downloaded the Uber driver information or database, or had anything to do with Uber’s May 2014 data breach." McCormick declined to comment when questioned if the IP address did belong to Lambert.
Lawyers representing the person associated with the Comcast address argued that the automated search engines which accessed the GitHub information could have left duplicated copies of information about the key. They also claim Uber has unfairly focused on their client, and that the hack could have originated from within the company. Judge Beeler did remark, however, that there is “no evidence” of the key’s availability outside of the accidental GitHub post.
Chris Lambert, who has been Lyft CTO since 2012, has declined to comment.