[Updated w/ Uber’s Email to Staff]: Uber Employees Used to Stalk Their Exes, Politicians & Celebrities
Uber employees have free access to customer information who use the company’s tracking system to monitor the whereabouts of “high profile politicians, celebrities, and even personal acquaintances, including ex-boyfriends/girlfriends, and ex-spouses.” A declaration in a lawsuit filed against Uber by its former forensic investigator was revealed today by a Center for Investigative Reporting article which detailed the lack of security at Uber.
Citing former employees, the piece reveals that “thousands of employees” had access to Uber’s tracking data along with personal information of drivers and other employees. With few security measures in place to restrict access, employees used the free access to spy on ex-girlfriends and celebrities like Beyoncé.
Personal information with Uber may not be safe
Filed by Ward Spangenberg, who worked on security systems at Uber starting in March 2015, the suit details Uber’s history with security and privacy failures. Spangenberg was fired from the company last February. In an October court declaration, Spangenberg is suing Uber for wrongful termination and defamation; the suit also claims the 45-year-old employee dealt with age discrimination.
In his court declaration, Spangenberg added that Uber employees freely used this information to help each other spy on ex-boyfriends and ex-girlfriends by tracking where and when they traveled, violating consumer privacy and data protection regulations.
If these allegations of user privacy and data security failures weren’t enough, the declaration also alleges that the company shut down connectivity during law enforcement raids to stifle investigators. The company also allegedly destroyed documents related to pending litigation.
In addition to the security vulnerabilities, Spangenberg said Uber deleted files it was legally obligated to keep. And during government raids of foreign Uber offices, he said the company remotely encrypted its computers to prevent authorities from gathering information.
Recently, another report had suggested that the app can track users even when they are not using it. The latest lawsuit will further increase these concerns. But, Uber disputes all such claims and maintains that it has strict controls to protect user information.
Uber continues to increase our security investments and many of these efforts, like our multi-factor authentication checks and bug bounty program, have been widely reported. We have hundreds of security and privacy experts working around the clock to protect our data. This includes enforcing strict policies and technical controls to limit access to user data to authorized employees solely for purposes of their job responsibilities, and all potential violations are quickly and thoroughly investigated.
Michael Sierchio, a former senior security engineer at Uber supported the claims that Spangenberg makes. “When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications,” he said. “It didn’t require anyone’s approval.”
[Update] Uber ensures its employees security practices have changed
Uber sent the following email to its employees after the Reveal story earlier today (via):