Ride-hailing company Uber has agreed to a settlement with New York Attorney General Eric T. Schneiderman over the company's tracking system, referred to internally as "God View," that provided real-time access to information about affiliated vehicles, drivers, and passengers. The settlement requires Uber to take steps to protect customer data. Separately, the company has agreed to pay $20,000 for failure to provide notice of a data breach disclosed in Feb. 2015.
The New York State Office of the Attorney General (NYAG) opened an investigation into Uber's privacy practices following a Buzzfeed report that claimed Uber New York general manager Josh Mohrer had tracked Buzzfeed reporter Johana Bhuiyan without her knowledge or consent. The investigation found Uber's "God View" tool.
During the course of the investigation, Uber removed personal information from its tracking application.
Under the agreement, Uber will keep location data in a password-protected system and will encrypt the data in transit. It will employ an approval process and technical controls that limit access to location data to employees with a legitimate business need for the information. It will designate one or more employees to oversee its privacy and security program.
The $20,000 fine is a consequence of Uber's failure to report a data breach in a timely manner, as required by New York business law. In Feb. 2015, Uber revealed that in Sept. 2014 it had discovered a data breach that occurred in May that year.
According to the Assurance of Discontinuance that summarizes the NYAG's findings, Uber was informed that a competitor had access to an Uber security code. The company's investigation found that an Uber employee had inadvertently posted the security code to Uber's cloud storage account on GitHub and that someone using an IP address not associated with any authorized Uber personnel had accessed a "pruned" copy of an Uber database.
"Although Uber had deleted most personal information and 'salted and hashed' passwords within the file before it was stored, the file contained driver's license numbers capable of being matched to driver names stored elsewhere within the file," the NYAG's filing states.
The filing says that Uber doesn't currently collect location information when its app is closed and that the company has committed to notifying users and providing an option to opt-out if it starts doing so. The company also reserves the right to derive a user's location from his or her IP address, a method less precise than using geolocation APIs.
"We are deeply committed to protecting the privacy and personal data of riders and drivers," an Uber spokesperson said in an emailed statement. "We are pleased to have reached an agreement with the New York Attorney General that resolves these questions and makes clear our commitment to best practices that put our community first."
**Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.