Earlier it was reported that internet based taxi company Uber had confirmed that an unknown third party had entered into their databases and gotten access to the names and license numbers of some 50,000 Uber partner drivers. The story, which began with a blog post from Katherine Tassi, Uber’s Managing Consul of Data Privacy, was mostly a public reassurance that thought something had gone wrong, everything was now under control and that this problem should never occur again. The blog post went so far as to say that “Uber takes seriously our responsibility to safeguard personal information, and we are sorry for any inconvenience this incident may cause.”
That may be the case now, but it surely was not the case some months ago.
ArsTechnica reported that the origin of this security breach was mostly due to Uber’s own incompetence. Uber, attempting to determine the culprit behind this recent security breach, is taking legal action so that the collaboration website Github reveals exactly who accessed two GitHub gists. Why is this information pertinent? Uber’s lawyers have stated that those URLs contained the security keys required to access the information that would eventually be stolen.
ArsTechnica cites the legal language that seems to make this rather clear:
The contents of these internal database files are closely guarded by Uber… Accessing them from Uber’s protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees, and no one outside of Uber is authorized to access the files. On or around May 12, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used the unique security key to download Uber database files containing confidential and proprietary information from Uber’s protected computers.
Perhaps stolen is no longer the correct word. Uber has yet to comment on this allegation one way or the other.