Uber Security Key May Have Been Stored In Public Repository

The key that allowed cyber-thieves to access an internal Uber database and steal personal details on about 50,000 drivers may have been stored in a publicly accessible repository on code hosting service GitHub, according to court documents filed by the taxi app start-up.

In support of the “John Doe” lawsuit filed against the unknown intruders, Uber subpoenaed GitHub in an effort to force it to disclose the IP addresses of all users who accessed two URLs linking to a now-unavailable repository – known as a gist – between March and September 2014.

The incident occurred in May of last year, and was discovered in September, according to the company, but Uber only made the incident public on Friday, more than five months after its discovery.

In the lawsuit, Uber states that the database in question was accessed using a “unique security key” with restricted access, leading industry observers to speculate that the key in question, or data providing access to it, may have been stored in the GitHub repository. Its exact content was not disclosed, nor did Uber indicate who made it or how the key may have come to be stored in it.

The company indicated in its lawsuit that it knows the IP address from which the database in question was accessed, stating that “on or around 12 May, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used the unique security key to download Uber database files containing confidential and proprietary information from Uber’s protected computers”.

The company declined to add to its Friday statement, in which it said that upon discovering the breach it “immediately… changed the access protocols for the database, removing the possibility of unauthorized access”.

Security experts have warned users against storing sensitive information on code hosting services such as GitHub, with reports indicating that passwords and other access data have been found on such sites providing access to sensitive data at major companies, including Google’s internal code for its Chrome browser.

Data protection

Uber has come under fire in the past over its protection of the sensitive data it holds on both drivers and passengers.

Its lost-and-found records were briefly published in February, containing personal information such as telephone numbers, and in November it emerged that an Uber executive had used the company’s tracking tools to monitor the movements of a journalist without her permission.

As a result of the controversy over this incident, the firm updated its privacy policy to clarify that “all employees at every level” are prohibited from accessing passenger and driver data.

However, reports alleged that another Uber executive had suggested using the tracking tools to find leverage against journalists critical of the company, and Uber has said it has internal policies allowing the use of its tracking tools for “legitimate business purposes”.

The company has attracted controversy for disregarding local regulations in the cities where it operates, including London, where the transport body that regulates London’s taxi and minicabs last year referred the company to British tax officials.

In January, Uber’s chief executive promised thousands of new jobs in Europe for cities who join in a “new partnership” with the company.

Are you a security pro? Try our quiz!