Attorney General Eric Schneiderman this week announced a $20,000 agreement with the $62.5 billion ride sharing app Uber, revealing that the startup unwittingly leaked driver names and license plate numbers in the spring of 2014 and failed to notify drivers of the breach for almost a year.
The agreement included several security protection practices that the startup is now legally required to uphold.
The AG launched his investigation into Uber in November 2014, following reports that its employees had access to rider trip information via an aerial view known internally as "God View."
In October 2014, it came out that Uber executives were allegedly using the geo-location information as a party trick at launch events. Buzzfeed writer Johana Bhuiyan reported the next month that Uber's New York General Manager Josh Mohrer met her as she stepped out of her Uber at the startup's New York headquarters. "There you are," he said. "I was tracking you."
Independent of the AG, the app launched an internal investigation into its security practices in November 2014, stating that "we fully acknowledge that we haven’t always gotten it right."
During the investigation into the app's security practices, the AG's office confirmed that a separate data breach had occurred in May 2014.
According its formal agreement with the AG's office, in September 2014 Uber discovered that one of its engineers had posted an access ID for the app's cloud storage on Github that spring. As a result, an unknown third party had gained access to Uber data. One file contained drivers' license plate numbers, which could be matched to their names.
The impacted drivers were not notified of the data breach until February 2015.
On top of the $20,000 fine for the data breach and subsequent delayed notification, Uber formally agreed to a set of security measures that it insists were in place prior to the AG investigation.
"This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle," said Attorney General Schneiderman in a statement.
"We are deeply committed to protecting the privacy and personal data of riders and drivers," an Uber spokesperson said in a statement.