Justice Department Investigates Uber Data Breach

Shutterstock

The U.S. Department of Justice launched a criminal investigation to find out if employees of Lyft were involved in a data breach against competitor Uber in May 2014.

According to Reuters, the May 2014 breach at Uber included as many as 50,000 drivers’ names and licence numbers being downloaded. An independent investigation conducted by Uber concluded that the Internet address of Lyft’s technology chief, Chris Lambert, was potentially associated with the breach.

The Department of Justice maintains that it is not necessarily conducting an investigation, that no one has been accused of any wrongdoing and that it is unclear whether anyone would ultimately be charged in the matter.

A recently hired attorney for Lambert, former federal prosecutor Miles Ehrlich, said Lambert “had nothing to do” with the breach.

“Given that Uber apparently lost driver data,” he continued, “a law enforcement investigation is to be expected, and the benefit is that the culprit here is going to be identified. That’s going to remove Chris’ name from any conversation about Uber’s data breach, as it should.”

Lyft also released a statement on Friday (De. 18) saying, “We have not been contacted by the DOJ, U.S. Attorney’s office or any other state or federal government agency regarding any investigation.”

According to Reuters, Uber was alerted that someone had downloaded its driver database, which should have only been accessible with the use of a digital security key, available to Uber employees only, late last year. Upon searching for that key, a copy was found on the publicly available code development site GitHub, where it had been left by mistake. Uber reached out to GitHub to obtain information about who had accessed that page before the breach and found one Internet Protocol address that did not belong to an Uber user or have another plausible explanation, according to court documents.

In order to identify the IP address of that individual, Uber conducted its own private investigation — the constitutionality of that move is currently under review by a U.S. judge — and found the address belonged to Lambert. Lambert has since signed a statement saying he had not been involved in the breach and was not aware of anyone who had copies of Uber’s database, and that he did not instruct anyone to access it, according to a source who spoke with Reuters.

However, Lyft and Ehrlich have declined to confirm or deny that Lambert’s Comcast IP address connected to the GitHub page containing the key. They also declined to give details about Lyft’s internal investigation of the matter.