Late last week, Uber’s Managing Counsel of Data Privacy Katherine Tassi has revealed that the company has suffered a data breach. One of its databases, which contains Uber drivers’ names and their license numbers, has been accessed by a third party.
The unauthorized access happened on May 13, 2014, but was discovered by Uber only four months later, on September 17.
“Upon discovery we immediately changed the access protocols for the database and began an in-depth investigation,” Tassi noted. They discovered that information of approximately 50,000 drivers across multiple states was accessed.
“To date, we have not received any reports of actual misuse of any information as a result of this incident, but we are notifying impacted drivers and recommend these individuals monitor their credit reports for fraudulent transactions or accounts,” she added, but has not commented on why it took them so long to inform the affected parties, which will be provided a free one-year membership for an identity-monitoring service.
The company has filed a “John Doe” lawsuit aimed at discovering the identity of the attacker. They know the IP address from which he accessed the database, and believe that the attacker managed to gain access because he knew the unique security key that protects it.
According to The Register, this particular security/login key was publicly available in a GitHub gist post, which has been since deleted, and Uber tried to get GitHub to voluntarily fork over the access log for the gist.
GitHub said no, and Uber is now trying to get GitHub served with a subpoena to force them to provide all the records they have that show who accessed and modified the gist post in question between March 14, 2014 to September 17, 2014.