San Francisco - Eight months after disclosing a major data breach, ride service Uber is focusing its legal efforts on learning more about an internet address that it has persuaded a court could lead to identifying the hacker. That address, two sources familiar with the matter say, can be traced to the chief of technology at its main US rival, Lyft.
In February, Uber revealed that as many as 50 000 of its drivers' names and license numbers had been improperly downloaded, and the company filed a lawsuit in San Francisco federal court in an attempt to unmask the perpetrator.
Uber's court papers claim that an unidentified person using a Comcast IP address had access to a security key used in the breach. The two sources said the address was assigned to Lyft's technology chief, Chris Lambert.
The court papers draw no direct connection between the Comcast IP address and the hacker. In fact, the IP address was not the one from which the data breach was launched.
However, US Magistrate Judge Laurel Beeler ruled that the information sought by Uber in a subpoena of Comcast records was "reasonably likely" to help reveal the "bad actor" responsible for the hack.
Leaked driver information
On Monday, Lyft spokesperson Brandon McCormick said the company had investigated the matter "long ago" and concluded "there is no evidence that any Lyft employee, including Chris, downloaded the Uber driver information or database, or had anything to do with Uber's May 2014 data breach".
McCormick declined to comment on whether the Comcast IP address belongs to Lambert. He also declined to describe the scope of Lyft's internal investigation or say who directed it.
Lambert declined to comment in person or over email.
Attorneys for the Comcast subscriber, who is not named in court documents, did not respond to an interview request on Monday.
In an email on Monday, an Uber representative declined to comment on any aspect of the case beyond what is in court filings, including what led the company to believe that more information about the Comcast subscriber might lead them to the hacker.
Uber's lawsuit alleges the hacker violated civil provisions of the federal Computer Fraud and Abuse Act, as well as a similar California law. It is unclear if the leaked driver information was ever used by the hacker or anyone else.
According to documents filed in the case, the company learned months after the hack that someone had used an Uber digital security key to access the driver database. A copy of the key was inadvertently posted by Uber on one of its public pages on the code development platform GitHub in March of 2014, prior to the breach, the court filings show, and remained there for months.