Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Customer Data / Uber Fined $20,000 for Data Breach
Uber Pays $20,000 Fine for Not Reporting Data Breach
Uber Pays $20,000 Fine for Not Reporting Data Breach
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
The New York Attorney General’s office has imposed a $20,000 fine on ride-hailing app company Uber for failing to offer timely notice of a data breach. Beyond the dollars and cents, the alternative taxi service also agreed to make some serious security moves to show good faith.

Like credit card companies, Uber collects information from its customers -- enough to put their identities at risk from hackers. Specifically, Uber holds the names, e-mail addresses, phone numbers and payment card information of riders.

But it’s a two-way street as drivers also give up information to be part of the program, including driver license numbers and vehicle registration numbers. Uber also stores real-time geographic location of riders and drivers to connect nearby drivers with customers.

The AG Is Satisfied

The backstory begins in November 2014. That’s when New York Attorney General Eric Schneiderman launched an investigation into Uber. He set out to discover how the transportation service collected, maintained and disclosed the personal information of its customers after reports emerged that Uber was displaying rider information in an aerial view, internally known as God’s view.

If that wasn’t enough to cause concern over rider privacy, Uber waited nearly six months to report a data breach. Last February, Uber finally told officials that an "unauthorized third-party" had accessed driver names and driver license numbers beginning as far back as September 2014. More than a year later, Schneiderman appeared to be satisfied that the penalties and security pledges will remedy the issue.

“This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle,” said Schneiderman. “We are committed to protecting the privacy of consumers and customers of any product in New York State, as well as that of employees of any company operating here. I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers’ and employees' private information.”

Why This Is Good

Although the $20,000 penalty seems light, Uber will take on expenses to implement stronger security measures. The company agreed to encrypt the geo-location information of riders, and require multi-factor authentication before any employee can view “especially sensitive” rider information.

Additionally, Uber will limit access to geo-location data to certain employees with valid reasons, and enforce this limitation using high-tech control systems. The company will also appoint certain employees to oversee its privacy and security program, conduct annual training about data security policies and practices, and take several other measures.

We asked Tim Erlin, director of IT security and risk strategy at Tripwire, for his thoughts on the settlement. He told us it’s heavy on required actions that will better protect consumer and driver data if Uber follows through with its agreement.

“Many of the reforms amount to industry best practices, like employing multi-factor authentication and employee training. Unfortunately, best practice often isn’t common practice,” Erlin said. "Any organization experiencing rapid growth and expansion can find itself with entrenched, habitual processes that might not meet the legal requirements of their newly expanded identity. It’s important for organizations to regularly review the information security requirements to which they might be subject as their business expands.”

Image credit: Uber.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter

The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
Security software company McAfee has adapted to many changes over the years, but Chief Executive Chris Young says one thing has remained constant: "our commitment to protecting everyone."
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.