Uber gets slap on the wrist in “God View” settlement

New York Attorney General fines Uber $20,000 for failure to quickly report data breach

How do you reprimand the most well-funded private company in the world after exposing their poor data privacy practices? Charge them a few bucks, apparently.

Uber has agreed to pay a penalty of $20,000 to the New York Attorney General in a settlement over its negligence in “reporting unauthorized third-party access to drivers’ personal information,” according to BuzzFeed News. The company has also agreed to enact better privacy and security measures to prevent its employees from repeating the same mistakes.

The settlement concludes a 14-month investigation into Uber’s privacy practices, including the use of a “God View” tool, which provided anyone at Uber corporate with access to real-time drivers and passengers using the app, complete with personal information. While Uber drivers didn’t have access to the tool, the company’s employees did—and treated the matter relatively lightly.

BuzzFeed News launched their own investigative report after Uber New York general manager Josh Mohrer outright told BuzzFeed reporter Johana Bhuiyan that he was tracking her.

From the settlement:

“Uber has represented that it has removed all personally identifiable information of riders from its system that provides an aerial view of cars active in a city, has limited employee access to personally identifiable information of riders, and has begun auditing employee access to personally identifiable information in general.”

In addition to its “God View” investigation, the New York Attorney General also looked into Uber's September 2014 discovery of a data breach that had affected some drivers. In May 2014, an Uber engineer accidentally shared an access ID publicly, opening up a data breach that exposed drivers’ personal information. Because Uber failed to quickly notify authorities and those affected by the breach, the company was hit with a $20,000 fine.

Of course, the fine is just a small drop in the bucket of billions that Uber has been able to raise from institutional investors over the past few years, but hopefully the company takes seriously its error.

In response to the breach, the company says it has “increased its use of encryption, implemented additional developmental controls that require multi-factor authentication and hired additional security personnel and enhanced security training.”

While Uber is likely glad to have this investigation settled, its legal troubles abound all around the world. In California, many are closely watching the class-action lawsuit brought against the company by drivers who believe they should be classified as employees, not independent contractors. A California judge has ruled that anyone driving for Uber in the state can join the suit.

Uber offered this statement on the story:

“We are deeply committed to protecting the privacy and personal data of riders and drivers. We are pleased to have reached an agreement with the New York Attorney General that resolves these questions and makes clear our commitment to best practices that put our community first.”