As the number of hacks and breaches increase in the news, people are not just becoming more accepting of data breaches, they are expecting to see data breaches. Now businesses are also expecting to see their competitors attempt to hack them.
For example, in early 2014, Uber discovered a breach involving the names and license numbers of nearly 50,000 drivers. By March 2014, Uber filed a lawsuit in the U.S. District Court for the Northern District of California against an unknown party related to the breach. In its Complaint, Uber claimed a “security key” was used without its authorization to gain access to its list of drivers. Count One of Uber’s Complaint, based on a violation of the Computer Fraud and Abuse Act, seeks damages for the unauthorized access to Uber’s driver database. Count Two of Uber’s Complaint, based on alleged violations of California’s penal code, seeks damages for the theft of information from Uber’s proprietary database. As this case proceeds through court, the unknown defendant, identified as “Subscriber,” filed various documents under seal. It appears the litigation will continue for a while as the court recently held that it was “reasonably likely” that Uber’s investigation would uncover the identity of the party referred to as “Subscriber.” The court has set a case management hearing for January 28, 2016.
While the Uber litigation does not mention Lyft in the allegations, recent information indicates Uber expects to find Lyft to be the source of the hack. In addition to Uber’s lawsuit, this breach has also spurred a investigation by the U.S. Department of Justice (DOJ). The DOJ has found that the source of the breach may be traced back to Uber’s main competitor, Lyft. Access to the compromised driver database was found on GitHub, a code-development website. After being contacted by Uber, GitHub determined only one IP address associated with the Uber hack that did not belong. Specifically, Reuters reports that Lyft’s technology chief, Chris Lambert, may have had his internet address come up in the investigation of the breach.
This is not the first time these two companies have been found competing outside the car-service apps. For example, Uber’s “playbook” for sabotaging Lyft was published online in August 2014. Uber has been accused of having its employees order and cancel rides and recruiting Lyft drivers in an effort to slow Lyft’s growth in new markets.
Secondly, consumers are expecting to see more hacks from the businesses they deal with. In addition to the privacy issues created by this litigation related to Uber drivers, there are also questions as to whether hacks at Uber and Lyft are compromising the safety of customers. For example, it has been recently reported that a “Rogue Lyft Driver” became angry when a woman in Chicago refused a ride. In a recent Facebook post, a Lyft customer described the following incident:
My driver was supposed to be an older black woman in an SUV. I got the notification saying my driver arrived. Went up the car window to check that the driver matched the picture and saw it was a man in his 40s. Car was different too. As I turned away to go back inside, he said, “Brittany? Get in the car!” I said, “You’re not my driver. I’m going inside.” But he kept shouting that “it doesn’t matter” and to get in the car. “I can drive you.”
About 10 seconds later, my actual Lyft driver, the woman, pulls up and asks what’s going on and who he is. At that point, the man speeds away. I leave eventually with the original woman and the man comes back and follows us for two or three blocks before we lose him at a light.
The Lyft customer believes the “rogue” driver may have hacked into the Lyft app and saw she was looking for a driver. Denying a hack of its system, Lyft has responded that the “Rogue Driver” showed up because the Lyft customer cancelled the low-rated driver before placing an order for the second Lyft driver. Even if this incident turns out to be unrelated to a hack, it demonstrates that Lyft customers are considering hacks as part of the marketplace when using technology.
Consequently, cybersecurity is now a consideration in how businesses interact with competitors, as well as how they deal with customers. The Uber incident demonstrates that businesses expect competitors to attempt to hack them. Likewise, the “Rogue Driver” situation, even if it was not caused by a hack or a breach, shows that consumers are prepared and actually expect to see businesses hacked.