'Stalk an ex or look up anyone': Weak Uber security allowed spying on riders – report
These allegations against the ride-sharing giant stem from an October 2016 lawsuit filed by its former forensic investigator, 45-year-old Samuel Ward Spangenberg. In May, he sued Uber over age discrimination and whistleblower retaliation, but his case has gone under the radar these many months. It has just come to light, thanks to the Center for Investigative Reporting (CIR).
In his court declaration, signed in October, Spangenberg points to a lack of effort on Uber’s part to protect private customer data, which comes in violation of “governmental regulations regarding data protection and consumer privacy rights.”
According to Spangenberg, due to “Uber' s lack of security,” employees were able “to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses.”
Another employee confirmed that to the CIR’s Reveal.
“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications,” Michael Sierchio, Uber’s senior security engineer between early 2015 until June 2016, said. “It didn’t require anyone’s approval.”
Spangenberg’s lawsuit says Uber collected data on every requested ride, including customers’ names, locations of ride requests, the amount paid and devices used to hail a cab. He alleges that there was a “myriad of other data that the user may or may not know they were even providing to Uber by requesting a ride.”
Yet Uber appeared not to care much about its customers’ private data protection, often keeping details in an “unsecure Google spreadsheet.”
Spangenberg has also pointed at Uber’s irresponsible treatment of its drivers’ information, including social security numbers, which could be accessed by all Uber employees, if they wanted.
In late November, Uber updated its mobile app, letting itself collect location data from its users not only when it is in use, but also when the application is running in the background on one’s phone. Uber claimed this would help it upgrade its service.
Besides bringing awareness to Uber’s “numerous critical issues,” Spangenberg says he also objected to the company’s protocols used to deal with raids on Uber's local offices.
While he does not name all the raids, in 2015, Uber was subjected to searches in Europe, Asia and North America.
He says, as part of Uber's Incident Response Team, he was called any time governmental agencies raided Uber's offices over concerns regarding noncompliance with regulations.
“In those instances, Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber's information,” he wrote.
Spangenberg says he always took extreme caution to retain data which was the subject of any litigation holds and never deleted any emails. However, he wrote, this was not the case with Uber, which “routinely deleted files which were subject to litigation holds.”
All of his concerns, Spangenberg addressed to his supervisor John Flynn and Human Resources Director Andrew Wegley. Blowing that whistle, he believes, resulted in his termination in February 2016, just a month prior to his first anniversary at Uber. It was followed by what Spangenberg’s defense called “defamatory statements” made by Uber.
Spangenberg’s concerns have been echoed by Sierchio and as three other former Uber security professionals, all of whom told the CIR that Uber neglected security protections.
“Early on, ‘growth at all costs’ was the mantra, so you can imagine that security was an afterthought,” Sierchio told Reveal.
Uber did assemble a security team, but concerns remained.
“One of the things I was told is, ‘It’s not a security company,’” Sierchio said. As Spangenberg recalled to the CIR, he was told the same thing.