Uber Settles Over Data BreachFirm Agrees to Encrypt GPS Information, Better Safeguard Customer Data
Any U.S. organization that delays issuing a data breach notification to victims risks having its information security policies get reviewed - and potentially overhauled - by state regulators, not to mention being fined.
Those are just some of the takeaways from the settlement and $20,000 fine announced by the New York Attorney General's Office on Jan. 6 with taxi-hailing mobile platform Uber. The settlement relates to the company's failure to restrict access to riders' and drivers' personally identifiable information, as well as a five-month delay between Uber discovering that its drivers' PII had been exposed in a data breach and its notifying victims (see Uber Breach Affects 50,000 Drivers).
Uber runs a mobile platform that allow riders to connect with drivers, and which tracks their geographic coordinates in real time. As part of its registration process, Uber also collects PII from riders, including name, email address, phone number and payment type. Likewise, it also collects drivers' driver license details, vehicle registration and licensing information, and vehicle inspection documentation.
As part of the settlement, Uber has now agreed to encrypt riders' geo-location information, classify and restrict internal access to personally identifiable information and other sensitive data about riders and employ multi-factor authentication to safeguard data access, among other changes.
"This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle," says New York Attorney General Eric T. Schneiderman. "We are committed to protecting the privacy of consumers and customers of any product in New York State, as well as that of employees of any company operating here."
Uber didn't immediately respond to a request for comment about the settlement agreement.
Settled: Two Separate Investigations
The settlement and fine relate to two separate investigations launched by Schneiderman's office. The first was launched after entertainment news site Buzzfeed reporter Johana Bhuiyan alleged that when she arrived at Uber headquarters in an Uber-chartered car, the company's New York General Manager Josh Mohrer greeted her as she emerged from the car by saying: "There you are. I was tracking you."
Bhuiyan reported that Mohrer was referring to a capability that the company refers to internally as "god view" - in reference to real-time strategy games that provide an aerial view of everything happening on the ground below - that provides Uber's operations team with a real-time look at the location of all of its cars, so that it can better juggle supply and demand. After the AG's office launched its investigation, Uber stopped displaying riders' PII as part of its god view.
The second investigation launched by the AG related to Uber informing Schneiderman's office on Feb. 26, 2015, that it had discovered in September 2014 that one of its databases had been accessed by an unauthorized third party in May 2014.
At the same time that Uber notified the AG's office, Katherine Tassi, Uber's managing counsel of data privacy, notified 50,000 drivers that some of their personal details appeared to have been compromised. According to a related "John Doe" lawsuit filed by Uber at the time, and since confirmed by the AG's office, an Uber employee had accidentally published one of the company's APIs - providing access to its mobile ride-sharing platform - to the GitHub code-sharing service, where it was publicly accessible. Uber says that the API was used, once, to access PII being stored for the 50,000 drivers.
At the time, Tassi gave no explanation for the five-month delay between finding the breach and warning affected drivers, which drew the ire of New York regulators, since the state's General Business Law requires breached organizations to alert the state attorney general's office "in the most expedient time possible and without unreasonable delay."
Security, Privacy Program Changes
The Uber settlement provides a useful template for any organization that stores PII. For example, some of the information security and privacy changes that Uber has agreed to implement include:
- Restricting access to geo-location information to employees who have demonstrated a legitimate "need to know" business purpose and enforcing this via both policies and technical access controls;
- Designating one or more employees to coordinate and supervise Uber's privacy and security program;
- Annually training employees who handle PII about how to comply with Uber's data security practices;
- Implementing multifactor authentication or similar access control technologies to restrict access to PII;
- Encrypting all PII, whether it's being stored, accessed or transferred;
- Regularly reviewing Uber's security processes and procedures and their effectiveness;
"I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers' and employees' private information," New York Attorney General Schneiderman says.
Indeed, information security consultant Brian Honan, who advises the association of European police agencies - Europol - on cybersecurity matters, says that any organization that handles PII should be encrypting as well as restricting access to all of that information (see TalkTalk Lesson: Prepare for Breaches). In part, that's because almost any type of PII today - not just payment card numbers - can be monetized by cybercriminals, experts warn.
Geo-Location Privacy Dangers
Uber isn't the first firm to get slammed for its handling of users' geo-location details. For example, the 2015 breach of online dating service Ashley Madison - tagline: "Life is short, have an affair" - revealed that the Toronto-based company was storing GPS coordinates for many of its 37 million current and former users.
Whoever attacked Ashley Madison leaked that data, and Australian data security expert Troy Hunt found that it included many members' latitude and longitude details, logged down to five decimal places, meaning the information was accurate to a range of about 1 meter, or 3.3 feet. Anecdotal reports say that information was used to help unmask users of the site, for example by spouses (see 2016 Breach Prevention: Time to Purge Data).