SAN FRANCISCO (by Joseph Menn and Dan Levine for Reuters) — The U.S. Department of Justice is pursuing a criminal investigation of a May 2014 data breach at ride service Uber, including an examination of whether any employees at competitor Lyft were involved in the episode, sources familiar with the situation said.
Earlier this year, Uber revealed that as many as 50,000 of its drivers’ names and their license numbers had been improperly downloaded. An investigation by Uber determined that an Internet address potentially associated with the breach can be traced to Lyft’s technology chief, Chris Lambert, Reuters reported in October.
Department of Justice spokesman Abraham Simmons said on Wednesday he could not confirm or deny a criminal probe. No one has been accused of any wrongdoing, and it is unclear whether anyone will ultimately be charged in connection with the breach.
A recently hired attorney for Lambert, former federal prosecutor Miles Ehrlich, said Lambert “had nothing to do” with the breach.
“Given that Uber apparently lost driver data, a law enforcement investigation is to be expected,” Ehrlich said. “And the benefit is that the culprit here is going to be identified — and that’s going to remove Chris’ name from any conversation about Uber’s data breach, as it should.”
In a statement on Friday, Lyft said “we have not been contacted by the DOJ, U.S. Attorney’s office or any other state or federal government agency regarding any investigation.”
Uber declined to comment. The people familiar with the matter could not be named because they were not authorized to speak publicly.
Search for hackers
Lyft is much smaller than Uber, which operates in more than 300 cities in 67 countries and has raised $7.4 billion from investors. The companies, based in San Francisco, compete fiercely for drivers and customers.
Uber learned last year that someone downloaded its driver database, which should have been accessible only with a digital security key. A search for that key turned up a copy on the code-development site GitHub, where it had been left by mistake.
Uber then obtained information from GitHub about who had connected to that page before the breach and found only one Internet Protocol address that did not belong to an Uber user or have another plausible explanation, according to court documents.
Uber filed a civil lawsuit in San Francisco federal court in February in an attempt to unmask the perpetrator. The company’s court papers claim that an unidentified person using a Comcast IP address had access to the security key.
On its own, Uber investigated that address and determined that it had been assigned to Lambert, Reuters reported in October.
A U.S. judge ruled that Uber could further probe the IP address, saying it was “reasonably likely” that such an inquiry could help identify the hacker. That ruling is on hold pending an appeal.
Attorneys for the unnamed Comcast subscriber have pointed out in court that the data breach was conducted from a different IP address than the Comcast address that accessed the security key. Lyft said that Uber allowed the key for the database “to be publicly accessible for months before and after the breach.”
The IP address the hacker used is associated with Anonine, a virtual private network service based in Sweden that is known for vigorously protecting the privacy of its users, two people familiar with the situation told Reuters.
Ehrlich said Lambert offered to provide Uber with a sworn statement that he had nothing to do with the breach, made under penalty of perjury.
Lambert signed the statement over the summer, a separate source familiar with the situation said. In it, Lambert also said he was not aware of anyone who has copies of Uber’s database, and that he did not instruct anyone to access it, the source said.
However, Lyft and Ehrlich declined to confirm or deny that Lambert’s Comcast address connected to the GitHub page containing the key. They also declined to give details about Lyft’s internal investigation of the matter.
Lyft reiterated on Friday that it investigated the matter “long ago” and concluded “there is no evidence that any Lyft employee, including Chris, downloaded the Uber driver information or database, or had anything to do with Uber’s May 2014 data breach.”
Uber’s lawsuit alleges the hacker violated civil provisions of the federal Computer Fraud and Abuse Act, as well as a similar California law. It is unclear if the leaked driver information was ever used by the hacker or anyone else.
(Editing by Jonathan Weber and Matthew Lewis)