Five former Uber security professionals have told Reveal from The Center for Investigative Reporting, that the company continued to allow broad access to its riders location, even after it insisted it had strict policies that prohibited employees from accessing users’ trip information with limited exceptions. They noted that thousands of employees throughout the company could get details of where and when each customer travels.
Uber’s former forensic investigator Ward Spangenberg has wrote in his court declaration that internal Uber employees helped ex-boyfriends stalk their ex-girlfriends and searched for the trip information of celebrities such as Beyoncé. Spangenberg, who has worked information security jobs for a variety of tech companies, is now suing the San Francisco-based ride-hailing company for age discrimination and whistleblower retaliation.
“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” Spangenberg wrote. In addition to the security vulnerabilities, Spangenberg said Uber deleted files it was legally obligated to keep.
“I also reported that Uber’s lack of security, and allowing all employees to access this information (as opposed to a small security team) was resulting in a violation of governmental regulations regarding data protection and consumer privacy rights,” he stated in the declaration.
Uber has responded by issuing a statement that says the company maintains strict policies to protect customer data and comply with legal proceedings, while acknowledging that it had fired employees for improper access.
Meanwhile, security sources say that the Federal Trade Commission (FTC) is now also investigating Uber’s information security practices.