Uber logo
Naked Security Naked Security

Uber customer data exposed through online lost and found database

App-based taxi company Uber revealed customer names and phone numbers through its online lost and found database.

Uber logoApp-based taxi firm Uber is once again attracting the wrong type of headlines after exposing internal data on user accounts and phone numbers through its lost and found database.

According to Motherboard, the internal database was accessible online for around 5 hours on Monday before being replaced with a 404 error message.

During that time Motherboard was able to determine that the database, which appeared to be from the company’s Los Angeles office, detailed 155 lost items, including bags, phones, keys and even credit cards.

While the thought of leaving keys, cards and phones in a cab is scary enough, the fact that the database also made customer and driver names, phone numbers, internal ID numbers and ride information available is even more concerning.

Of course anyone who who left something of value in an Uber cab would have been pleased that their precious items were found, but it seems as if not all of the company’s drivers were particularly charitable with their post-trip discoveries – Motherboard notes how at least two drivers asked for cash for returning passengers’ goods.

According to a statement given to The Next Web, a spokesperson for Uber said:

Uber’s Lost Items feature has helped thousands of riders reconnect with belongings left behind after a trip. It appears that this log of lost items was accidentally made public, and we’re sorry for this mistake. We are looking into exactly how that happened so that it does not happen again.

Though the details of specific journeys taken with Uber were not revealed – they were hidden behind a password-protected portion of the website that only Uber drivers can access – the mistake is unlikely to bolster confidence in a company that has already courted so much controversy.

In November 2014 executive Emil Michael suggested that the company could dig up information about journalists that had written unflattering articles about the company.

Later that month it was discovered that Uber’s New York City general manager Josh Mohrer had breached the company’s own privacy policy by using the company’s in-house “God View” tool to track a Buzz Feed journalist’s trip to a meeting, reportedly because she was late.

In the aftermath of that faux pas, the firm took on IBM’s former chief privacy officer Harriet Pearson and the law firm she works for to completely overhaul and review its privacy policies.

A company blog post noted at the time:

Our business depends on the trust of the millions of riders and drivers who use Uber. The trip history of our riders is important information and we understand that we must treat it carefully and with respect, protecting it from unauthorized access.

As things stand today, it looks like Pearson has her work cut out.