Uber's Probe of Breach Focuses on Lyft Executive
Investigators looking into last year's data breach and theft of drivers' records from Uber Technologies have found indications implicating an executive at rival ride-hailing app Lyft, said people familiar with the matter.
The Uber investigators believe the intruder used a company security key accessible on a public website to access as many as 50,000 driver records in May 2014, Uber said in court records in a lawsuit related to the breach. Uber discovered the breach in September 2014 and disclosed it in February.
Lyft denied that the executive in question, Chief Technology Officer Chris Lambert, or any of its employees were involved in the breach.
"We investigated this matter long ago and there are no facts or evidence that any Lyft employee, including Chris...had anything to do with Uber's May 2014 data breach," Lyft spokesman Brandon McCormick said in a written statement.
Uber and Lyft are bitter rivals that have poached drivers from each another, co-opted each other's innovations and competed to raise billions of dollars in capital. Uber operates in more than 330 cities world-wide and Lyft in 65 cities in the U.S. Last month, Lyft teamed up with Chinese ride-sharing startup Didi Kuaidi Joint to allow users of either app to hail rides the other's drivers, in a move regarded as an alliance against Uber.
Last month, Lyft teamed up with Chinese ride-sharing startup Didi Kuaidi Joint to allow users of either app to hail rides using the other app, in a move regarded as a type of alliance against Uber.
Uber's suspicions that a Lyft executive was involved in the breach were earlier reported by Reuters on Thursday.
In the wake of the data breach Uber filed a "John Doe" lawsuit, a type of legal action often used when the defendant's identity isn't known. Uber lawyers persuaded a federal judge in that case to order Comcast to release the records of a Comcast Internet-service subscriber who Uber claims appears to be connected with the breach.
Attorneys for the subscriber, who isn't named in court records, are appealing the judge's order, according to court documents, saying it "would cause embarrassment and reputational harm" to their client.
The subscriber's attorneys, from San Francisco Bay Area law firm Boersch Shapiro, didn't respond to requests for comment. On its website, Boersch says it has worked for such high-profile clients as American Express and Qwest Communications International.
Uber investigators believe they found evidence linking Mr. Lambert to the incident, which goes back to early 2014 and involved several steps, according to the people familiar with the matter.
Uber's investigation found that the intruder had gained access to a company database by using a security key that an Uber employee had accidentally posted on a public GitHub page in March 2014. GitHub is a website that programmers often use to swap bits of code while building software.
To mask his or her identity, the intruder used Anonine, a Swedish service that lets users browse the Internet anonymously, Uber attorneys said in court records. Anonine says it doesn't maintain user records.
Uber also won a subpoena for GitHub records on who visited the page hosting the security key, the company said in court records. Uber believes the records that the visitors to the page were either Uber engineers; linked to "bots," or computers that troll the Internet automatically visiting websites; or an Internet address registered to Comcast, according to a court transcript.
Uber found that the same Comcast user had previously scraped data from its website holding driver information, an Uber attorney said at a court hearing.
"This Comcast IP address is associated with somebody who had been scraping driver data from the Uber website," Uber attorney James G. Snell, of Perkins Coie told U.S. District Judge Laurel Beeler in San Francisco in July. Before the judge interjected, Mr. Snell said, "It matters who that is. If this was a competitor."
Following an Uber request, Judge Beeler ordered Comcast to tell Uber the subscriber's identity. The unidentified subscriber has appealed the order. Investigators also checked the Internet address against several databases, and found links to Mr. Lambert, according to the people familiar with the matter.
In its statement, Lyft said neither Mr. Lambert nor anyone else at the company "downloaded the Uber driver information." The statement said that "Uber allowed login credentials for their driver database to be publicly accessible on GitHub for months."
The Uber-Lyft rivalry extended to the courts last year when Lyft sued Travis VanderZanden, its former chief operating officer, for allegedly breaching a confidentiality agreement he signed upon joining the company.
Lyft argued that Mr. VanderZanden, who joined Uber a year ago, violated his contract by downloading confidential documents containing financial projections and product plans to his personal Dropbox account before his departure.
Mr. VanderZanden denied the allegations last year in a series of Tweets. The lawsuit is still pending.
Write to Danny Yadron at danny.yadron@wsj.com and Douglas MacMillan at douglas.macmillan@wsj.com