Uber has subpoenaed GitHub to unmask netizens suspected of hacking its database of taxi drivers.
The ride-booking app maker is trying to force GitHub [PDF] to hand over the IP addresses of anyone who visited a particular gist post between March and September last year.
That gist is believed to have contained a login key used by a hacker to access an internal Uber database of 50,000 drivers. Github refused to hand over the information, leading to Friday's subpoena filing.
Uber has also launched a John Doe lawsuit [PDF] in the district court of northern California against the mystery hacker. Uber and GitHub are both headquartered in San Francisco, California.
"On or around May 12, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe used the unique security key to download Uber database files containing confidential and proprietary information from Uber’s protected computers," the lawsuit's paperwork reads.
In a blog post on Friday, Uber admitted the database of driver names and license plates was accessed by the hacker way back in May, but the startup only noticed in September.
Uber's security team knows the public IP address used by the database invader, and wants to link that number against the IP addresses and usernames of anyone who looked at the GitHub-hosted gist in question – ID 9556255 – which we note today no longer exists.
It's possible the gist contained a leaked login key, or internal source code that contained a key that should not have been made public. We won't speculate further.
Uber wants GitHub to provide...
all records, including but not limited to transactional or other logs, from March 14, 2014 to September 17, 2014, identifying the IP addresses or subscribers that viewed, accessed, or modified these posts and the date/time of access, viewing, or modification, as well as any records or metadata relating to the browser (i.e., logged HTTP headers, including cookies) or device that viewed, accessed, or modified the posts.
In other words, Uber hopes it will find an online breadcrumb trail from the gist to whoever hacked its systems. Quite why Uber has waited more than five months to subpoena GitHub is unclear, and the taxi-booking biz has refused to explain the delay.
In its statement, Uber's Managing Counsel of Data Privacy Katherine Tassi said the breach covered "current and former Uber driver partner names and driver’s license numbers," and is offering a year of credit monitoring for free to those whose details were leaked.
In keeping with its image as a gas tank of ethics running on empty, Uber does not provide an explanation for why it did not inform its drivers their details had been swiped until it decided to file a lawsuit five months later.
The post noted that the company had "not received any reports of actual misuse of information as a result of this incident." ®
Sponsored: Network DDoS protection
from ffffff http://go.theregister.com/feed/www.theregister.co.uk/2015/02/28/uber_subpoenas_github_for_hacker_details/
via IFTTT
0 comentarios:
Publicar un comentario