Uber’s lack of security allowed employees to track customers, including ex-girlfriends or spouses, according to the company’s former forensic investigator.
Ward Spangenberg, who is suing the San Francisco-based taxi firm for age discrimination and whistle blower retaliation, made the claims about Uber’s data protection issues in a court declaration.
“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses.”
Spangenberg has also raised concerns over the company destroying files it was legally obligated to keep.
This comes just weeks after it was reported that the updated Uber app continues to collect information on its customers’ movements even after their ride has finished.
According to Reveal News, Spangenberg joined Uber in March 2015 to help tackle various security issues from around the world. He claims to have raised concerns over the company’s practices several times, before being fired after 11 months.
Uber have had privacy of data issues before. In 2014 there was controversy over Uber’s “God View” tool, which gave employees a real-time aerial view of Uber cars and details of which customers were inside of them.
Following an investigation by New York Attorney General Eric Schneiderman, Uber settled in January and promised to “limit access” to real-time trip data “to designated employees with a legitimate business purpose.”
Uber’s responsive measures included changing the name of God View to “Heaven View”, and creating a pop-up message that warned employees that their activity was being monitored. According to Spangenberg though, few employees took any notice of it.
Michael Sierchio, who was a senior security engineer at Uber from early 2015 until June of this year, has also spoken out.
“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications,” he told Reveal. “It didn’t require anyone’s approval.”
Spangenberg’s declaration also claims Uber drivers’ personal data is at risk, with information such as social security numbers were available to employees.
Uber fired Spangenberg for violating a code of conduct and reformatting his computer, erasing everything on it. He argues that he deleted and rebuilt his laptop because it had crashed – and that he was in fact fired for criticising security practices.
Uber has released a statement, saying, “We have made significant investment in tightening our access controls during the past several years. Allegations that simply acknowledging our policy in a pop-up window would provide access to customer data for unauthorized employees are not correct in our current environment.”
But security sources told Reveal that Uber's policy relies on the honour system, which means employees simply agree not to abuse the access.
“The only information, truthfully, that I ever felt was safe inside of Uber is your credit card information,” Spangenberg said. “Because it’s not stored by Uber.”
In addition, Spangenberg says that he helped remotely encrypt information on Uber computers at offices around the world, to stop international government agencies investigate the company – including an investigation into tax evasion in Quebec, Canada.
“Uber routinely deleted files which were subject to litigation holds, which was another practice I objected to,” he wrote.
Uber has responded to Spangenberg’s lawsuit by saying it “generally denies each and every allegation”.
"Uber continues to increase our security investments and many of these efforts, like our multi-factor authentication checks and bug bounty program, have been widely reported," a spokesman said in a statement. "This includes enforcing strict policies and technical controls to limit access to user data to authorised employees solely for purposes of their job responsibilities, and all potential violations are quickly and thoroughly investigated."