Uber fined $20K in data breach, 'god view' probe

The settlement with New York concludes a probe into a breach that exposed data of 50,000 drivers and the use of a "god view" rider-tracking system.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
2 min read

Uber's settlement with New York includes the company's vow to strengthen security.


Uber must pay a $20,000 fine over a 2014 data breach, as part of a settlement with New York.

New York Attorney General Eric Schneiderman announced Wednesday the end of a 14-month probe into data protection practices and the use of a "god view" rider-tracking system at the ride-hailing app maker. The fine is for the data breach, but the settlement also focuses on rider privacy.

Uber is akin to a taxi service, but with a modern twist. The company enables people to book rides through an app with any Uber-contracted car owner. The app is available in 60 countries and 300 cities and is used by over 8 million people. Roughly 1 million rides are booked through the company every day.

In 2014, Uber discovered that a security breach had exposed the data of 50,000 drivers across the US. Following investigations that same year by Buzzfeed, San Francisco-based Uber came under scrutiny concerning how it handled sensitive user data as part of its "god view" rider-tracking system.

The "god view" tool, once widely available to Uber employees, revealed the locations of Uber cars and came to light when the general manager of Uber New York, Josh Mohrer, told a journalist that he was tracking her Uber ride and had accessed her ride history logs without her permission.

The situations led to New York's investigation of Uber's security policies. The probe resulted in the $20,000 fine tied to Uber's failure to inform drivers in a timely fashion about the 2014 security breach. While the fine does not relate to "god view" specifically, Uber has also agreed to restrict access to the tool and adopt more rigorous privacy and security practices.

Changes to the firm's practices include using password protection, encrypting the location data of Uber riders and drivers, and implementing multifactor authentication.

"This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle," Schneiderman said in a statement.

A copy of the settlement acquired by Buzzfeed reads:

"Uber has represented that it has removed all personally identifiable information of riders from its system that provides an aerial view of cars active in a city, has limited employee access to personally identifiable information of riders, and has begun auditing employee access to personally identifiable information in general."

Uber told Buzzfeed that that company is "pleased" to have reached an agreement with New York and is "deeply committed to protecting the privacy and personal data of riders and drivers."

Earlier this month, reports surfaced that San Francisco's largest taxi company, Yellow Cab, is close to filing for bankruptcy due to stiff competition from Uber and Uber rival Lyft, as well as a number of unresolved court cases.

This story originally posted as "Uber fined peanuts in God View surveillance, data breach investigation" on ZDNet.