Uber employees can readily access riders’ personal data, and many of them have used that ability to peek at the sensitive information of everyone from celebrities to ex-girlfriends, one former employee alleges.
Samuel “Ward” Spangenberg, Uber’s former forensic investigator, is suing the company for age discrimination and for retaliating against him as a whistleblower.
In an October court filing published Monday by the Center for Investigative Reporting, Spangenberg says the company failed to adequately protect the sensitive data it collects every time a customer requests a ride, including the customer’s name, location data, email address, payment amount and information about the device used to request the ride.
“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” Spangenberg testified.
Uber’s lack of security ... was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses.
Also open for Uber employees’ perusal: its drivers’ Social Security numbers, which Spangenberg says “were available … to all Uber employees, without regard to any particular level of employment or security clearance.”
Spangenberg says he repeatedly spoke out against the weak security measures, and, as a result, was fired this spring after only 11 months on the job.
A group of former Uber workers interviewed by Reveal news said their own experiences supported Spangenberg’s claims.
“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications,” said Michael Sierchio, one former Uber employee. “It didn’t require anyone’s approval.”
Sierchio left the company in June 2016.
Uber’s Chief Information Security Officer John Flynn disputed most of Spangenberg’s allegations in an internal email to employees Monday, which an Uber spokeswoman forwarded to The Huffington Post.
“Much of the information is out of date and doesn’t accurately reflect the state of our practices today,” Flynn wrote, though he did acknowledge that Uber, “like every fast-growing company,” hasn’t “always gotten everything perfect.”
Flynn pledged the company is continually improving its security systems and policies, with major progress being made in the past year.
In particular, he noted:
All employees are required to acknowledge and agree to a data access policy, including at on-boarding. You’re reminded of this policy every time you access internal data tools once you have the required permission (see below). All data access is logged and routinely audited, and all potential violations are quickly and thoroughly investigated. We have terminated employees in the past for violating this policy.
- It’s absolutely untrue that all (or nearly all) employees have access to customer data, with or without prior approval. This is more than simply the “honor system”: we have built entire systems to implement technical and administrative controls that limit access to customer data to those employees who require it to perform their jobs. This could include multiple steps of approval—by managers and the legal team—to ensure there is a legitimate business case for providing access.
- What’s more, this access is granular: if an employee has access to some customer data, she does not have access to all customer data. Access is granted to specific types of data based on an employee’s role and the specific purpose at hand.
- Many employees are in operational roles and have legitimate reasons to access customer data. For example, our anti-fraud team have access to trip data so they can investigate allegations of scams and compromised accounts. Some employees have access to driver profiles in order to check the validity of insurance documents required by law. And in the case of a traffic incident, a dedicated member of our safety team needs to access customer data to conduct a proper investigation and help the affected parties reach resolution.
In a statement to HuffPost, Uber pledged it takes securing customer data extremely seriously, noting the company’s use of “multi-factor authentication checks and bug bounty program,” or a reward system for people who find bugs in its software.
“We have hundreds of security and privacy experts working around the clock to protect our data,” Uber’s statement added. “This includes enforcing strict policies and technical controls to limit access to user data to authorized employees solely for purposes of their job responsibilities, and all potential violations are quickly and thoroughly investigated.”