Uber has settled with New York Attorney General Eric Schneiderman over two data privacy investigations.
One was a 14-month investigation into rider privacy and the company’s use of a “God view” tool to track riders and to display their information in an aerial view.
The other investigation was concerned with a data breach, caused by Uber itself, that exposed hundreds of Uber driver names, social security numbers, pictures of drivers licenses, tax forms and other sensitive information.
Schneiderman’s office announced on Wednesday that Uber’s getting fined $20,000 for failure to provide timely notice of that breach.
How much of a lag?
The AG’s investigation found that in early 2014, an Uber engineer posted an access ID for Uber’s third-party cloud storage on Github.com, a website designed to allow software engineers to collaborate.
The post was accessible to the general public.
A few months later, in May 2014, someone unaffiliated with Uber accessed the database that included Uber driver names and driver license numbers.
Uber discovered the breach in September 2014 but didn’t inform the affected drivers and Schneiderman’s office until February 26 2015.
The $20K fine for that failure to provide timely notice is a pittance: it amounts to more of a flick on the wrist than a slap, given Uber’s soaring valuation.
Besides the fine, the settlement requires Uber to encrypt rider geolocation information and to adopt multifactor authentication that would be required before any employee could access especially sensitive rider personal information.
This is the full laundry list of what the AG’s office called the leading data security practices that Uber pledged to adopt:
- Limit access to geolocation information to designated employees with a legitimate business purpose, and enforce this limitation through technical access controls, and a formal authorization and approval process;
- Designate one or more employees to coordinate and supervise its privacy and security program;
- Conduct annual employee training to inform employees who are responsible for handling private information about Uber’s data security practices;
- Adopt protective technologies for the storage, access, and transfer of private information, and credentials related to its access, including the adoption of multifactor authentication, or similarly protective access control methodologies;
- Conduct regular assessments of the effectiveness of Uber’s internal controls and procedures related to the securing of private information and geolocation information and the implementation of updates to such controls based on those assessments; and
Uber’s checkered taxi past
The two incidents that the NY AG investigated are just a small part of Uber’s rather colorful past when it comes to protecting (or not) user and driver data.
In October 2015, it was revealed that Uber was failing to log out users who reported their accounts had been hacked and who asked for a password change: a situation that allowed intruders to continue hailing rides from compromised user accounts long after they’d been breached.
At one point, those hacked accounts were fetching as little as 40 cents on the dark web, as fraudsters in China used them to book free (at least, free for the fraudsters!) rides.
And speaking of passwords, months before, Uber had gotten into hot water over emailing new passwords in plaintext instead of sending a password-reset link.
Was that what led to account hijackings?
Well, maybe, maybe not, given that at least one victim admitted that her password was pretty feeble, but it was yet another “Really?” moment for Uber.
Then too, earlier last year we reported how the company’s driver database found its way onto GitHub, exposing the details of some 50,000 drivers – the breach for which Uber’s now being fined $20,000.
That breach was loosely linked to competitor Lyft, after Uber discovered how an IP address – allegedly associated with Lyft’s CTO, Chris Lambert – had accessed the database using the key leaked on GitHub.
Additionally, there was the internal lost and found database which exposed customer data after being published and then left online.
Another of Uber’s privacy debacles involved a job applicant who was given unrestricted access to customer data both during his interview and for several hours afterwards.
Uber has a history of bristling at criticism of its security practices, and more than once it’s responded by violating journalists’ privacy: one executive suggested spending $1 million to mine personal data for dirt to discredit a journalist who criticized the company, for example.
Another incident was when Uber found itself having to investigate yet another exec for poking at yet another journalist’s personal data (twice), tracking her movements without her permission.
Uber’s tracking of that reporter, BuzzFeed’s Johana Bhuiyan, is what triggered Schneiderman’s investigation into Uber’s use of the so-called God View tool.
According to a copy of the settlement obtained by BuzzFeed, Uber purged some rider information from its God View system during the course of the AG’s investigation.
BuzzFeed quotes the settlement:
Uber has represented that it has removed all personally identifiable information of riders from its system that provides an aerial view of cars active in a city, has limited employee access to personally identifiable information of riders, and has begun auditing employee access to personally identifiable information in general.