Imagine the temptation.
You’re leading the technology group at a fledgling car-sharing service. Your biggest competitor is valued at 24 times as much as your company. You feel like you’re falling behind.
Worse, that rival is a bully. It has relentlessly recruited your drivers. It has slowed your entrance into new markets with cutthroat tactics—including, allegedly, repeatedly ordering and canceling rides.
And then: A godsend. Your arch-nemesis has unwittingly published the private encryption key for an important database that contains the personal information of its drivers—on the code-sharing site GitHub. It has committed, as Dan Goodin, security editor at Ars Technica describes, “the online equivalent of stashing a house key under a doormat.”
Do you ignore it? Play the good samaritan and notify the company? Or do you strike, unlocking its secrets?
Around the same time that Uber and Lyft—the ride-sharing services referenced above—were fighting one another for supremacy in spring 2014, a hacker breached the former’s database and downloaded as many 50,000 of its drivers’ names and license numbers. Two Reuters sources say Chris Lambert, chief technology officer at Lyft, is associated with the cyber intrusion.
Lambert has yet to publicly confirm or deny the accusation, although a Lyft spokesperson told Reuters that the company investigated the matter “long ago” and concluded that “there is no evidence that any Lyft employee…had anything to do with Uber’s May 2014 data breach.” In the meantime, Uber is prodding Comcast (CMCSA) to divulge the IP address associated with the incident in hope that it could help reveal the identity of the perpetrator.
The culprit did not gain access to the driver data, as far as anyone knows, by sending spear-phishing emails to people at the company, as the hackers who breached Samsung-owned (SSNLF) LoopPay likely did. Nor did he or she break in by using unauthorized credentials, as is alleged in the recent lawsuit between the Tribune Co. and journalist Matthew Keys. Uber, quite simply, didn’t secure a path to its proprietary information—and an intruder used it to gain entry.
Fortune previously wrote about Uber’s newfound hacking prowess. It seems only fair to consider the possibility that Lyft has chops, too. We cannot say for certain who is responsible for the deed; there is no proof one way or the other. (So far.) But it’s not difficult to find a plausible motive in this narrative. Here’s hoping that evidence emerges to clear the air.
Which brings me to a public service announcement in celebration of National Cyber Security Awareness Month. Please avoid posting your private encryption key in the public domain. You never know who will come a-knocking.
A version of this post originally appeared in Data Sheet, Fortune’s daily tech-business newsletter. Click here to subscribe.
