Uber is a darling of the investor class, most recently raising $1.6 billion from Goldman Sachs, as it’s raced out ahead of competitors like Lyft to cement market dominance in the US, all the while aiming for global domination.
But Uber is struggling in one area – privacy and data security – that might give pause to potential investors, customers or employees (or rather, independent contractors).
A breach of one of its databases in May 2014, in which the names and driver license numbers of 50,000 “driver partners” were stolen, is the latest entry on Uber’s growing list privacy and security blunders.
We say “the latest,” because Uber only just fessed up to it on Friday, 27 February.
In addition to disclosing the breach, Uber announced on the same day that it filed a lawsuit that will enable Uber to “gather information to help identify and prosecute this unauthorized third party.”
The lawsuit is what’s known as a “John Doe” because the defendant in the lawsuit is unknown, but Uber said this legal action will allow it to gather information to identify the perpetrator.
At the same time as this lawsuit, Uber filed a subpoena to produce documents that commands the code-sharing platform GitHub to release a trove of data Uber claims will help it track down the hacker or hackers.
Uber’s subpoena of GitHub, obtained by The Register, demands no less than the complete record of every person who visited two posts on GitHub between 14 March 2014 and 17 September 2014 – the date Uber says it discovered the breach.
Those records include IP addresses and any metadata from the browsers or devices that viewed the GitHub pages:
... please produce all records, including but not limited to transactional or other logs, from March 14 2014 to September 17 2014, identifying the IP addresses or subscribers that viewed, accessed, or modified these posts and the date/time of access, viewing, or modification, as well as any records or metadata relating to the browser (i.e., logged HTTP headers, including cookies) or device that viewed, accessed, or modified the posts.
What’s happening here?
Uber, as it noted in its John Doe lawsuit, knows the IP address that was used to access the compromised database “on or around May 12.”
Uber said that IP address was not associated with an Uber employee, but used a unique security key that was only available to certain employees to download files from the driver database.
As noted by The Register, it seems that the GitHub posts in question contained a leaked login key or Uber source code containing the key, and Uber is on a hunt to match the IP address of the intruder with a user who accessed the key information on GitHub.
You might be wondering, why can’t Uber simply subpoena the internet logs of the IP address it says is behind the breach?
Unfortunately, the IP address alone might not reveal very much.
Uber might be able to go to the IP’s internet service provider (assuming it’s within the subpoena’s jurisdiction) and match the IP to a customer, but of course there’s no guarantee that the customer is actually the guilty party. Attackers are in the habit of covering their tracks by using other people’s computers as proxies.
Uber’s best chance of tracking down the hacker might be getting GitHub’s records to match up the IP address with a GitHub user login, but even that would rely on the attacker having used their own account to access GitHub.
Still, Uber’s demand for all records over a six month period, including four months after the breach occurred, might be an overreach.
A harder question for Uber to answer – why is it only seeking this information now, more than four months after it discovered the breach?
Uber also said it is “notifying” drivers who were affected by the breach, which would indicate that the company got a late start on that as well.
The statement from Uber’s managing counsel of data privacy, Katherine Tassi, says Uber “takes seriously our responsibility to safeguard personal information.”
That statement is a little hard to take seriously.