Uber Agrees $20,000 Fine for failing to Report a Data Breach

Ridesharing giant Uber has agreed to pay a $20,000 fine for the ‘failure to provide timely notice to drivers’ about a data breach that occurred in September, 2014.

New York’s attorney general, Eric T. Schneiderman, has announced a settlement with Uber that will see the San Francisco-based company pay a fine for failing to inform drivers of a data breach in time. Significantly, the announcement also revealed that Uber agreed improve its cybersecurity standards and practices.

Some of the new practices that Uber is required to adhere to as a part of the settlement includes:

  • Encryption of rider location details. Uber will now have to encrypt the geo-locations of its riders as a direct measure to put an end to Uber’s infamous ‘God View.’ The mode of ‘God View’ –a term coined internally by its staff – allowed Uber executives to access riders’ locations in an aerial view.
  • Adopting multi-factor authentication. This additional security measure will be implemented to authorize employees who access riders’ sensitive personal information.

The press release announcing the settlement and new measures enforced upon Uber to adhere to a better security standard includes a baffling example of ‘inappropriate access’ of rider information. Buzzfeed reporter Johana Bhuiyan alleged that upon arriving at Uber’s New York headquarters in an Uber car, the general manager of Uber’s New York Josh Mohrer said: “There you are. I was tracking you.”

Uber’s God View

The means to tracking riders with such precision in a real-time basis is achieved via ‘God View.’ Basically, ‘God View’ is an internal tracking system that allows Uber’s operations team to have access to a real-time aerial view of movement of cars. A practical reason for wielding ‘God Mode’ was to inform drivers of potential rides in an area of the city with a lack of drivers.

During the course of the investigation, the statement from the Attorney General’s office also noted that Uber eliminated all drivers’ and users’ personal information from the aerial view.

An excerpt from the settlement, which can be found in its entirety here, reads:

Uber has represented that it has removed all personally identifiable information of riders from its system that provides an aerial view of cars active in a city, has limited employee access to personally identifiable information of riders, and has begun auditing employee access to personally identifiable information in general.

The Infamous Uber Breach

In early 2014, an Uber engineer posted an access ID used to access Uber’s third-party cloud storage on Github.com. The posting was public. Predictably, a hacker was able to access the database on the cloud in May, 2014. This database contained tens of thousands of Uber drivers’ personal information including names and driver license numbers.

Hacked previously reported on the hack that Uber is now paying the settlement for, an event that was only revealed by the company in March – months after the breach was discovered in September 2014. The hack may have compromised up to 50,000 Uber drivers, or a “small percentage of current and former Uber driver partners,” a company statement said at the time.

In a statement following the settlement and measures forcing the company to adopt better and safer security measures, Attorney General Schneiderman said:

This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including real-time locations of riders in an Uber vehicle.

Featured image from Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.