The most recent Uber data breach occurred in August 2020, when a cybersecurity firm discovered a trove of Uber Eats data on the darkweb. This data included login credentials and personal information pertaining to both customers and drivers.
So far in 2021, there have been no known Uber security breaches. Below, we’ll go into the full history of Uber data breaches and privacy violations, starting with the most recent.
August 2020: Uber Eats User Data Found on Dark Web
In August 2020, the cybersecurity firm Cyble discovered personal information on Uber Eats customers and drivers on the dark web. In total, around 579 customer files were discovered, featuring login credentials. Additionally, personal data on 100 drivers were in the leaked files, including details like names, contact information, trip logs, bank card information, and account creation dates.
August 2017: Uber Settles with FTC Over “God View” Privacy Issues
In August 2017, Uber arrived at a settlement with the Federal Trade Commission over privacy issues pertaining to its “God View”, through which it tracked the location of specific journalists and celebrities. As part of the settlement, Uber was forced to implement a new privacy program, as well as undergo two decades of privacy audits to ensure adherence with FTC requirements.
In April 2018, the settlement with the FTC was expanded in response to Uber’s actions regarding the attempted coverup of the 2016 data breach – more on that below.
December 2016: Lawsuit Claims Uber Employees Tracked High-Profile Individuals
In December 2016, a lawsuit was filed claiming that Uber employees were tracking high-profile individuals without just cause, including some politicians and celebrities. While Uber had placed restrictions on “God View” (then rebranded as “Heaven View”), the lawsuit claimed improper tracking activities were ongoing.
The lawsuit made the news not long after a version of the Uber app was released that had the ability to track user whereabouts even when they weren’t using the app. According to a November 2016 report, the new permissions didn’t sit well with many users, particularly since they weren’t given the option to allow location tracking only when the app was operating.
October 2016: Personal Data Stolen from 57 Million Accounts
In October 2016, hackers stole personal data from approximately 57 million user accounts, including both registered riders and drivers. This information included roughly 600,000 U.S. license plate numbers. The compromised accounts were not limited to a specific country.
Uber was aware of the attack, and paid the hackers $100,00 to keep it under wraps. However, they did not disclose the incident until Bloomberg reported on it in November 2017. In response, Uber CEO Dara Khosrowshahi stated in a press release that two individuals outside of the company accessed data on a third-party cloud-based system used by Uber. Additionally, he asserted that company-operated systems and infrastructure had not been compromised.
He went on to discuss the nature of the information stolen. The compromised data included the names and driver’s licenses of approximately 600,000 drivers in the United States, as well as the names, mobile phone numbers, and emails of around 57 million customers around the world.
Since the company didn’t report the incident to the public or authorities for a year, they were found in violation of data breach notifications laws, resulting in a $148 million fine. The Justice Department also charged Joseph Sullivan – the former chief security officer at Uber who was working as CSO at the time of the incident – with misprision of a felony and obstruction of justice in August 2020 in connection with the attempted coverup.
November 2014: Uber Uses “God View” to Track Journalists and Celebrity
In November 2014, Uber executive Josh Mohrer used Uber’s “God View” to track the location of a Buzzfeed reporter. This “God View” was widely accessible to Uber employees, and the story prompted public outcry against Uber’s privacy violations.
As “God View” came under fire, Uber attracted additional scrutiny when another Uber executive, Emil Michael, talked about harassing journalists in a dinner conversation. In response to these incidents, the New York Attorney General fined Uber $20,000 in January 2016.
May 2014: Hacker Accesses 100,000+ User Records
In May 2014, a hacker accessed sensitive records on 100,000 Uber users. The data was stored in plain text on an Amazon Web Services server. The access code to the data store had ended up on GitHub after an Uber software engineer shared code on the platform, giving anyone with the code full administrative privileges on that particular server.
Once in the server, the hacker accessed a single file. That file contained Uber driver information, including 100,000 names and driver’s licenses, as well as 215 name, bank account, and routing number files and 84 name and Social Security number combinations. Other sensitive information was also in the file.
September 2011: Uber Uses “God View” to Show Off Users’ Location
In September 2014, tech entrepreneur and writer Peter Eagle Sims relayed a story about Uber’s invasive “God View”, which he discovered in 2011. Through “God View”, Uber executives could track the location of specific users.
Sims became aware of God View when a journalist texted him from Uber’s Chicago launch party in 2011. As a party trick, Uber was displayed the locations of specific users in front of guests. This is the first known incident involving God View, which was widely available to Uber employees from 2011 through 2017.
We did not find any earlier records of data breaches or privacy violations involving Uber.