Uber left a security key on GitHub
Uber is trying to force GitHub to disclose all the IP addresses that accessed a security key that Uber left on a public GitHub page Reuters

Controversial app-based taxi company Uber seems to keep committing security faux pas – a court complaint has revealed that the data breach of personal details relating to 50,000 drivers occurred thanks to a security key that was stored on a public GitHub page.

GitHub is a web-based Git source code repository service where developers store successive versions of their software code, and Uber is now trying to force it to disclose the IP addresses of every single person that accessed the webpage which unlocked the driver database.

The taxi app firm has only just admitted to the data breach on 27 February 2015, when the database intrusion actually happened over four months ago on 17 September 2014.

All drivers have been offered a free one-year membership to Experian's ProtectMyID Alert, and Uber has confirmed that it has filed a "John Doe" lawsuit in order to figure out who the hacker was.

The subpoena sent to GitHub (hosted by The Register) reads: "The contents of these internal database files are closely guarded by Uber. Accessing them from Uber's protected computers requires a unique security key that is not intended to be available to anyone other than certain Uber employees, and no one outside of Uber is authorised to access the files.

"On or around May 12, 2014, from an IP address not associated with an Uber employee and otherwise unknown to Uber, John Doe I used the unique security key to download Uber database files containing confidential and proprietary information from Uber's protected computers."

Of course, it's all very well to close the stable door after the horse has bolted, but it's not like developers haven't been warned many times in the past not to store sensitive passwords and security keys in software code uploaded on GitHub pages.

Also, even if Uber does manage to access the IP addresses, they may not be able to tell the firm much about the attacker even with the help of an internet service provider (ISP) to identify the IP address.

"But of course there's no guarantee that the customer is actually the guilty party. Attackers are in the habit of covering their tracks by using other people's computers as proxies," writes Sophos' Naked Security blogger John Zorabedian in a new post.

"Uber's best chance of tracking down the hacker might be getting GitHub's records to match up the IP address with a GitHub user login, but even that would rely on the attacker having used their own account to access GitHub."

Just in February, Uber had to admit to unwittingly exposing sensitive customer lost and found data records on its website, including customer phone numbers and full names.

Also fresh in people's minds is the incident with Uber executive Emil Michael, who suggested at a dinner in November 2014 that the company could dig up personal information about journalists that had written critical pieces about Uber.

Even worse, later in the same month, it was found that Uber's New York City general manager Josh Mohrer did breach the firm's privacy policy by spying on Buzzfeed tech reporter Johana Bhuiyan using the company's in-house God View tool, which is widely accessible to corporate employees, but not drivers.