Uber, the world’s most valuable startup, just made a major gaffe: The ride-hailing company accidentally released the personal information of hundreds of its drivers, allegedly leaking social security numbers, scans of drivers’ licenses, taxi certification forms, and other private data. According to Motherboard, the leak was first reported by drivers on Tuesday, and was associated with the release of Uber’s new Partner app for drivers.
“We were notified about a bug impacting a fraction of our U.S. drivers earlier this afternoon,” an Uber spokesperson said in a statement to Motherboard. “Within 30 minutes our security team had fixed the issue.” Uber says the breach impacted 674 drivers in the U.S., and that less than a thousand documents were compromised. The leaked data was only shown to drivers who were logged into their accounts on the Partner app, Uber claims.
One driver told Motherboard that he detected the problem while uploading a document to the app; he refreshed the page and was shown hundreds of documents from fellow Uber drivers. “When I looked closer, it might have been the database of Uber drivers that are taxicab drivers that have access to Uber,” he told Motherboard. “There were a lot of taxi certification forms and livery drivers licenses and W-9 forms with Social Security numbers for taxi cab companies.”
There’s no evidence, at the moment, that Uber’s data landed in the wrong hands, or that any of the drivers have misused the information they had access to. But Uber drivers have reason to be concerned: The company hasn’t demonstrated that user privacy is top of mind, according to Motherboard. Last week, Uber patched up a major security flaw that gave hackers continued access to user accounts even after passwords had been changed. And earlier this year, Uber users had complained for months that they were getting charged for trips they didn’t make. In March, Motherboard had reported that a number of Uber user accounts were being sold on the Internet, using stolen login information.
With the rampant data breaches that now plague companies and even government entities, it’s imperative that a tech giant like Uber address security concerns effectively–without unintentionally leaking its own data and contributing to the problem.
On Wednesday, Uber announced a partnership with e-commerce platform Shopify, to offer same-day delivery for vendors in New York, Chicago, and San Francisco. The company’s courier service, UberRush, first launched last year exclusively in New York.