The database includes customer names, phone numbers, and internal identification numbers.
Update 2/10/15: This story has been updated with a statement from Uber.
Someone named Angelica left a Patti Smith record in the back of her Uber on February 5th.
I know this, and Angelica's phone number, because Uber has left its internal lost-and-found records on a publicly accessible site.
The records appear to be from the agency's Los Angeles office (many customer phone numbers have Southern California area codes, LA is in the URL, and many drivers' licenses were lost). Other pages on the site are used to tell prospective drivers which cars are acceptable, which documents are legally required, and which vehicle inspections are necessary to drive. A security oversight appears to have left the Los Angeles lost and found database public, however.
The records detail 155 items filed in the system between early December and today. As I was reporting this story, Christine's jean jacket and an iPhone 4 with green cover were added to the system.
It's not a minor thing: Customer and driver names, along with some customer phone numbers, and internal identification numbers are on the site, as are specific route and ride identification information. Specific route information is hidden behind a password-protected site, but still, not a good look.
"They have these databases for a noble purpose, which is to get people's stuff back, so I want to give them more leeway for that. That said, I can't think of a reason why it would need to be publicly available," Justin Brookman director of the consumer privacy project at the Center for Democracy and Technology, told me. "It's bad design, considering they've been taking a lot of criticism about privacy lately. I think people prefer when people lose something that Uber not tell the world what they lost. Hopefully, it'll be a lesson learned sort of thing."
So, what are we leaving in our Ubers? Lots and lots of cell phones, of course. Keys, sunglasses, headphones, and credit cards, but also "a picture with the client and a woman at Seasons 32," a blue Powerade water bottle, a "bag of stuff," "crisco oil and ice breakers mint," medical weed cards, vinyl records (the aforementioned Patti Smith and, separately, a group of Spanish language ones), a skateboard, a selfie stick, and lots more.
About two hours after this story was first posted, Uber removed the page.
"Uber's Lost Items feature has helped thousands of riders reconnect with belongings left behind after a trip," an Uber spokesperson told me. "It appears that this log of lost items was accidentally made public, and we're sorry for this mistake. We are looking into exactly how that happened so that it does not happen again."
Back in 2011, the company noted that the "meticulous trip details that we log at Uber make it easy for us to track down your driver, trip information AND lost items."
"The drivers often contact us to let us know when they've found items in the car in hopes that we can get them back in your hands quickly," the company said.
That's not always the case, it appears. At least two drivers seemed to be demanding money in exchange for returning the items, according to the site. "INSISTENT ON GETTING $10," read one note on a lost car key. "Requested payout," another driver noted on three separate entries for lost items.
Many of the items have been returned, but a wayward e-cigarette was slated to be destroyed, for some reason, if it had not been claimed by the end of January (no word on whether or not it has since passed on to the trash heap).
Uber has, of course, been dogged by a few privacy scandals in recent months: First a company exec floated the idea of using Uber's own data and running opposition research on journalists who write about the company; later, it came out that many employees of the company (including drivers) once had access to its "God view," which could be used to track all Uber rides as they happened.
Those disclosures led Uber to hire Harriet Pearson, IBM's former chief privacy officer, to do an internal audit of the company's privacy practices. Presumably, Pearson won't be happy with this.