New York, NY - January 6, 2016 - Attorney General Eric T. Schneiderman today announced a settlement with Uber that requires the company to adopt leading data security protection practices to protect its riders’ personal information. In late November 2014, the Attorney General opened an investigation into Uber’s collection, maintenance and disclosure of rider personal information amid reports that Uber executives had access to riders’ locations and that Uber displayed this information in an aerial view, known internally as “God View.” Separately, on February 26, 2015, Uber notified the Attorney General that as early as September 2014, it had experienced a data breach where Uber driver names and driver license numbers were accessed by an unauthorized third party. This settlement resolves both investigations.
“This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle,” said Attorney General Schneiderman. “We are committed to protecting the privacy of consumers and customers of any product in New York State, as well as that of employees of any company operating here. I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers’ and employees' private information.”
The settlement requires Uber to encrypt rider geo-location information, adopt multi-factor authentication that would be required before any employee could access especially sensitive rider personal information, as well as other leading data security practices. It also requires Uber to pay a $20,000 penalty for failure to provide timely notice to drivers and Schneiderman’s office regarding the data breach in September, 2014.
Uber owns and operates a mobile application platform that allows riders to connect with Uber drivers using their mobile phone. Uber collects certain personal information from riders, including name, email address, phone number, and payment instrument. Uber also collects data from drivers, including driver license information, vehicle registration and licensing information, and vehicle inspection documentation. Uber also collects the geographic location of riders and drivers in real time.
The Attorney General opened an investigation after several public reports about inappropriate access and display of rider geo-location information. For example, after arriving at Uber’s New York headquarters in an Uber car, Buzzfeed reporter Johana Bhuiyan alleged that Uber’s New York General Manager Josh Mohrer met her as soon she stepped out of her vehicle, saying “There you are. I was tracking you.” The Attorney General’s investigation found that Mr. Mohrer was referring to an internal tracking system Uber calls “God View.” Uber’s operations team maintains an aerial view of the real-time movement of cars on the Uber platform to assist in real-time tasks, including observing whether cars were clustered in one section of town to balance supply and demand. If there were rides being requested in an area of town with too few vehicles, Uber sends a message to drivers letting them know that there are potential riders in that area. During the investigation, Uber eliminated all personal information from the aerial view.
Under the agreement, Uber has agreed to maintain and store GPS-based location information in a password-protected environment, and encrypt the information when in transit. Uber has also agreed to a number of other reforms including to:
- Limit access to geo-location information to designated employees with a legitimate business purpose, and enforce this limitation through technical access controls, and a formal authorization and approval process;
- Designate one or more employees to coordinate and supervise its privacy and security program;
- Conduct annual employee training to inform employees who are responsible for handling private information about Uber’s data security practices;
- Adopt protective technologies for the storage, access, and transfer of private information, and credentials related to its access, including the adoption of multi-factor authentication, or similarly protective access control methodologies;
- Conduct regular assessments of the effectiveness of Uber’s internal controls and procedures related to the securing of private information and geo-location information and the implementation of updates to such controls based on those assessments; and
Finally, pursuant to General Business Law § 899-aa, Uber has agreed to pay $20,000 for failure to provide notice of the data breach in a timely fashion to the affected drivers. The Attorney General found that in early 2014 an Uber engineer posted an access ID for Uber’s third-party cloud storage on Github.com, a website designed to allow software engineers to collaborate. The post was accessible to the general public. On May 12, 2014, someone unaffiliated with Uber accessed the database that included Uber driver names and driver license numbers. Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and Schneiderman’s office until February 26, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office “in the most expedient time possible and without unreasonable delay.”
This case was handled by Internet Deputy Bureau Chief Clark Russell, Internet Bureau Chief Kathleen McGee and Executive Deputy Attorney General for Economic Justice Karla G. Sanchez.