In May 2014, a third party accessed an Uber software engineer’s private GitHub repository that contained AWS credentials stored in code. Using these credentials, the attacker accessed an Amazon S3 bucket containing a database backup with names and driver’s licence numbers for approximately 50,000 Uber drivers — primarily in the US and Canada. Uber discovered the breach in September 2014 and notified the state attorneys general and affected drivers in February 2015 — approximately nine months after the breach and five months after discovery. Uber sent notification letters to approximately 50,000 current and former Uber drivers. The New York State Attorney General and California Attorney General both opened investigations into Uber’s delayed notification. The California AG reached a $25,000 settlement with Uber for the breach notification delay. This 2014 Uber breach is separate from the more famous 2016 Uber breach (where 57 million users and drivers were affected and Uber paid a ransom and concealed the breach for over a year). The 2014 incident established an early pattern of inadequate security practices at Uber, particularly around credential management in developer environments — a practice subsequently recognised as the same attack vector used in countless other breaches.