Security key for downloading database was on GitHub

Feb 28, 2015 09:52 GMT  ·  By

An internal database of mobile app-based transportation network Uber has been accessed without authorization by a third-party that has yet to be identified, exposing information of 50,000 former and current drivers.

The illegal access occurred on May 13, 2014, but the company identified the incident on September 17, 2014, and has imposed the necessary security to avoid similar risks in the future.

Company initiated action to find the hacker

In an official statement disclosing the incident, Uber says that the perpetrator accessed the content only once, but a cybercriminal would not need more to extract the data.

The information exposed included names and driver’s license numbers, which could be used by criminals to impersonate the victim in traffic. If they get stopped in traffic by law enforcement, they can provide the fake documentation and direct all legal action towards the victim.

Uber says that, upon learning about the illegal access, it immediately locked the database by changing the access protocols, and started an investigation to determine the identity of the perpetrator.

To this end, the company initiated a John Doe lawsuit against the hacker. Should the perp be found, they would have to pay for the damage caused to Uber, including attorney fees. The loss incurred by the company as a result of the investigation is of more than $5,000./ €4,500.

It appears that the perpetrator was able to download the database by using data made available on GitHub. The entry, which has been removed, is believed to have included a security key that offered the possibility to download the database, according to the court document obtained by The Register.

GitHub has been served a subpoena to provide the log files with all IPs that accessed, viewed or modified a certain entry in the repository between the aforementioned time interval.

Complimentary identity protection services offered

Katherine Tassi, Uber’s Managing Counsel of Data Privacy said on Friday that the company decided to provide a free one-year subscription for identity protection services to all individuals impacted by the incident.

The details for subscribing to the service are available in the notification letter sent to the affected individuals.

She informs that there is no evidence at the moment that the information in the exposed database has been misused in any way. However, the recommendation is that all affected drivers monitor their credit reports for fraudulent transactions.

Launched publicly in 2010, Uber has grown to become available in more than 200 cities in the US and over 100,000 drivers rely on its app to receive requests for transportation services.