The New York Attorney General’s office has imposed a $20,000 fine on ride-hailing app company Uber for failing to offer timely notice of a data breach. Beyond the dollars and cents, the alternative taxi service also agreed to make some serious security moves to show good faith.
Like credit card companies, Uber collects information from its customers -- enough to put their identities at risk from hackers. Specifically, Uber holds the names, e-mail addresses, phone numbers and payment card information of riders.
But it’s a two-way street as drivers also give up information to be part of the program, including driver license numbers and vehicle registration numbers. Uber also stores real-time geographic location of riders and drivers to connect nearby drivers with customers.
The AG Is Satisfied
The backstory begins in November 2014. That’s when New York Attorney General Eric Schneiderman launched an investigation into Uber. He set out to discover how the transportation service collected, maintained and disclosed the personal information of its customers after reports emerged that Uber was displaying rider information in an aerial view, internally known as God’s view.
If that wasn’t enough to cause concern over rider privacy, Uber waited nearly six months to report a data breach. Last February, Uber finally told officials that an "unauthorized third-party" had accessed driver names and driver license numbers beginning as far back as September 2014. More than a year later, Schneiderman appeared to be satisfied that the penalties and security pledges will remedy the issue.
“This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle,” said Schneiderman. “We are committed to protecting the privacy of consumers and customers of any product in New York State, as well as that of employees of any company operating here. I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers’ and employees' private information.”
Why This Is Good
Although the $20,000 penalty seems light, Uber will take on expenses to implement stronger security measures. The company agreed to encrypt the geo-location information of riders, and require multi-factor authentication before any employee can view “especially sensitive” rider information.
Additionally, Uber will limit access to geo-location data to certain employees with valid reasons, and enforce this limitation using high-tech control systems. The company will also appoint certain employees to oversee its privacy and security program, conduct annual training about data security policies and practices, and take several other measures.
We asked Tim Erlin, director of IT security and risk strategy at Tripwire, for his thoughts on the settlement. He told us it’s heavy on required actions that will better protect consumer and driver data if Uber follows through with its agreement.
“Many of the reforms amount to industry best practices, like employing multi-factor authentication and employee training. Unfortunately, best practice often isn’t common practice,” Erlin said. "Any organization experiencing rapid growth and expansion can find itself with entrenched, habitual processes that might not meet the legal requirements of their newly expanded identity. It’s important for organizations to regularly review the information security requirements to which they might be subject as their business expands.”