Uber Fined $20,000 for Not Reporting Data Breach
On January 7, Uber was fined $20,000 by the New York Attorney General’s office for failing to report a September 2014 data breach. In addition to the fine, Uber had to agree to make security changes.
Uber collects and stores the personal information of both drivers and riders. Riders provide their names, email addresses, phone numbers and payment card information. Drivers provide that data plus their driver’s license numbers, vehicle registration and insurance information. Additionally, the ride-hailing app company stores the geographic location of riders and drivers.
New York’s Attorney General Eric Schneiderman began investigating the company in November 2014 to determine how it collected, stored and disclosed personal information.
Making things worse for Uber, the company waited until February 2015 to report an unauthorized third party had accessed their driver names and license numbers in September 2014.
Schneiderman is satisfied with the recent penalties and Uber’s promise to improve its security practices.
“This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle,” said Schneiderman. “I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers’ and employees’ private information.”
Some of the changes Uber has agreed to make are encrypting the geo-location of riders and requiring multi-factor authentication before an employee can view “especially sensitive” rider information. Certain Uber employees will oversee the privacy and security program and conduct security training.
Tim Erlin, director of IT security and risk strategy at Tripwire, told TopTechNews that this settlement will help to protect rider and driver personal information.
“Many of the reforms amount to industry best practices, like employing multi-factor authentication and employee training. Unfortunately, best practice often isn’t common practice,” Erlin said. “Any organization experiencing rapid growth and expansion can find itself with entrenched, habitual processes that might not meet the legal requirements of their newly expanded identity. It’s important for organizations to regularly review the information security requirements to which they might be subject as their business expands.”