Breach Notification , Breach Response , Data Breach

Uber Breach Affects 50,000 Drivers

Ride-Sharing Service Files Lawsuit, Seeks GitHub Records
Uber Breach Affects 50,000 Drivers

Uber, which develops and markets a smartphone-based taxi-hailing and ride-sharing service, says it was the victim of a May 2014 database breach that compromised personal information for about 50,000 of its U.S. drivers, and which it first discovered more than five months ago. The firm says it's launched a related lawsuit and asked the court to subpoena records from the popular code-sharing website GitHub.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

Uber, based in San Francisco, has long marketed its service as being "cheaper than a taxi." The company says its service is now available in more than 200 cities worldwide, and that more than 100,000 drivers use its smart phone app to receive transportation requests.

"On September 17, 2014, we discovered that one of our databases could potentially have been accessed by a third party," Katherine Tassi, Uber's managing counsel of data privacy, says in a Feb. 27 blog post. She notes that this "one-time unauthorized access to an Uber database by a third party had occurred on May 13, 2014," and that "upon discovery we immediately changed the access protocols for the database and began an in-depth investigation."

The blog does not offer an explanation for the long delay in the breach notification. Uber did not immediately respond to a request for further comment.

The company says information on 50,000 current and former U.S. drivers was exposed, and that the breached records included only their names and driver's license numbers. Uber says it will offer all of the drivers one year's free membership to an identity theft monitoring service provided by Experian. "To date, we have not received any reports of actual misuse of any information as a result of this incident, but we are notifying impacted drivers and recommend these individuals monitor their credit reports for fraudulent transactions or accounts," Tassi says. "Uber takes seriously our responsibility to safeguard personal information, and we are sorry for any inconvenience this incident may cause."

John Doe Lawsuit

According to a related "John Doe" lawsuit filed in a northern California U.S. District Court on Feb. 27 by Uber, "on or around May 12, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe used the unique security key to download Uber database files containing confidential and proprietary information from Uber's protected computers." Files relating to the lawsuit were posted online by the Register.

The use of a "fictitious defendant" or "John Doe" in a lawsuit allows a plaintiff to file a case when they don't know the location or identity of the defendant, and then amend the lawsuit if and when more details come to light. The tactic has previously been used in a number of hacking-related cases, including Microsoft's botnet disruptions.

As part of the lawsuit, Uber also requested that the court order a subpoena of GitHub, a popular, online code-repository service based on the open-source version control system Git - created by Linux creator Linus Trovalds - which is also based in San Francisco. The Feb. 27 subpoena seeks a list of all users who accessed a particular GitHub "gist" - ID 9556255 - relating to the Uber site's application programming interfaces. Such APIs can be used to provide direct access to databases, provided that programmers have the necessary log-in keys.

"Please produce all records, including but not limited to transactional or other logs, from March 14, 2014 to September 17, 2014, identifying the IP addresses or subscribers that viewed, accessed, or modified these posts and the date/time of access, viewing, or modification, as well as any records or metadata relating to the browser (i.e., logged HTTP headers, including cookies) or device that viewed, accessed, or modified the posts," Uber's proposed subpoena says. "This subpoena does not request the contents of any communications."

That gist has since been removed from GitHub - presumably on Sept. 17, which was the same day that Uber discovered it had been breached. The court documents say the GitHub post refers to the company's API, as well as a script, written in the Python language. Such scripts are often used to create Web applications and provide back-end database access.

Key Disclosure

Uber has not disclosed how it was hacked, how the attacker obtained the allegedly used "unique security key," or what type of database was breached, and the company didn't immediately respond to a related query. But a job listing for a database architect on LinkedIn, posted by Uber last year, noted that the company uses PostGres object-relational databases. In particular, the listing said the company was seeking someone with "PostgreSQL DBA experience (which is to say, more than us)," and adds that "knowledge of Python is a plus; knowledge of how to actually use it a huge plus."

Python scripts are often used in conjunction with PostGres databases.

Based on that job listing, it's apparent that "Uber may use PostGres," Mark Bower, vice president of product management and solution architecture for security software vendor Voltage Security, tells Information Security Media Group. That's relevant, because security experts say that securing data stored in a PostGres database can be a challenge. In particular, Bower notes that PostGres has a well-known potential weakness relating to "key disclosure issues" when encrypting database fields.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network