Uber claims Lyft CTO is behind the February hack attack

Uber recently submitted new court filings seeking more information on an IP address believed to be involved in a hack that was made public in February, in which the names and email addresses of 50,000 of its drivers were stolen.

It is this IP address that Reuters’ two sources claim, was assigned to the technology chief at Lyft, Chris Lambert.

The perpetrator had access to the Uber digital security key which ultimately left an open door to the company’s driver database, and although publically available, the sources claim Uber investigations have pinpointed Lambert’s as one of the IP addresses accessing the data.

However, a subpoena of Comcast records due to information sought by Uber had U.S. Magistrate Judge rule that it would help reveal the “bad actor” behind the attack.

A Lyft spokesman said Monday that the company had investigated the matter internally and found that “there is no evidence that any Lyft employee, including [Lambert], downloaded the Uber driver information or database, or had anything to do with Uber’s May 2014 data breach”. McCormick did not comment on whether or not the IP address in question was Lambert’s, nor on the scope or details of Lyft’s own investigation into the matter. Reached by The Verge, Uber declined to comment.

Uber’s lawsuit alleges the hacker violated civil provisions of the federal Computer Fraud and Abuse Act, as well as a similar California law.

The breach occurred after it inadvertently posted the security key on the code development platform GitHub in March of 2014, prior to the breach, which remained on the site for months.

Lawyers for the subscriber have insisted that because the key was posted publicly, just visiting the page was not an indication of guilt. Clearly the hacker had more sense, not only in using a VPN for the incursion, but also in selecting one in a country with such protectionist zeal about user-privacy. The hacker’s numeric IP address is redacted from court papers.

Attorneys for the unnamed Comcast subscriber appealed to the 9th U.S. Circuit Court of Appeals, and Beeler put her ruling on hold pending the outcome.

They noted that automated web crawlers also visited the site with the security key. Judge Beeler did remark, however, that there is “no evidence” of the key’s availability outside of the accidental GitHub post.

Lyft and Uber compete fiercely for both drivers and customers. It’s a battleground between the two companies when it comes to acquiring riders and drivers.

Chris Lambert has been the CTO of the $2.5bn company since 2012, and formerly worked on the Google Maps and Google location project as a software engineer.