Taxi servive Uber has subpoenad GitHub in a bid to find out the identity of the person who managed to illegally access its database of drivers’ details, exposing up to 50,000 of them last year.
The firm’s managing counsel of data privacy, Katherine Tassi, admitted in a blog post on Friday that late last year it identified a “one time access” of the database, exposing driver names and license numbers.
“Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access,” she added.
“We are notifying impacted drivers, but we have not received any reports of actual misuse of information as a result of this incident.”
The incident occurred in May 2014 but only exposed the details of a “small percentage” of Uber’s US drivers, albeit across multiple states, Tassi claimed.
In the meantime the firm is offering affected drivers free one-year membership of Experian’s ProtectMyID alert service, and has filed a John Doe lawsuit against the person it believes to be the hacker (via The Register).
The taxi service has also filed a subpoena against developer platform GitHub to force it to reveal the IP address of anyone who visited a specific Gist post between March and September 2014.
The post is not available now, but according to the John Doe lawsuit, it contained a “unique security key” which the attacker is alleged to have used to access the Uber driver database.
This isn’t the first time privacy issues have been raised about the firm.
Its lost and found records were briefly published online last month, while in November last year reports emerged that an executive had tracked the travel records of a journalist without her permission.
That incident forced the firm to update its privacy policy to clarify that it prohibits “all employees at every level from accessing a rider or driver’s data.”
Yet at the same time separate reports emerged alleging that another exec had floated the idea of using the firm’s ‘God’s View’ tool to attack critics of the company.