Report: Uber Staffers Were Spying On Customers, Had Access to Sensitive Information

Image courtesy of Kai Pfaffenbach / Reuters

Image courtesy of Kai Pfaffenbach / Reuters

Uber said it was devoted to protecting users’ privacy. A former security executive for the company said that couldn’t be further from the truth.

The popular mini-cab app is in hot water yet again after former in-house forensic investigator Ward Spangenberg revealed that staff members at the company have been able to monitor customers, including high-profile celebrities, without their knowledge or consent.

“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high-profile politicians, celebrities and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends and ex-spouses,” Spangenberg stated in a court declaration in October.

The former security exec’s allegations were reported Monday, Dec. 12, as part of the Centre for Investigative Reporting’s (CIR) Reveal project, which also reported that five other former Uber security pros disclosed that the company had continued allowing broad access to user information even after it assured customers that employees wouldn’t be able to monitor their trips. This was after a 2014 Buzzfeed report revealed the existence of the “God View” tool, which allowed staff members to access users’ trip information.

According to Reveal, “fewer than 10” Uber staffers have been fired for improper use of the privacy-encroaching tool. The company has since assured that it has “security and privacy experts working around the clock” to protect user data.

Ward Spangenberg, the former Uber security executive who blew the whistle on the company's unethical user tracking practices. Photo by Ward Spangenberg.

Ward Spangenberg, the former Uber security executive who blew the whistle on the company’s unethical user tracking practices. Photo by Ward Spangenberg.

In addition to the illegal user monitoring, Spangenberg revealed that sensitive customer information like Social Security numbers were accessible to Uber employees. Credit card numbers were protected, however.

In his testimony, the former security exec, who is suing the mini cab company for age discrimination and whistleblower retaliation, denounced Uber’s practice of erasing files it was legally obligated to keep and revealed that the company would remotely encrypt its computers in order to keep authorities from collecting information. In fact, Spangenberg was the man they called on to lock down the computers.

“As part of Uber’s incident response team, I would be called when governmental agencies raided Uber’s offices due to concerns regarding noncompliance with governmental regulations,” he stated. “In those instances, Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber’s information. I would then be tasked with purchasing all new equipment for the office within the day, which I did when Uber’s Montreal office was raided.”

The 45-year-old said he was fired from the San Francisco-based company 11 months after joining the team over his repeated objections to its “reckless and illegal practices.”

Michael Sierchio, a tech industry vet who also served as a senior security engineer at Uber from January 2015 until June of this year, echoed Spangenberg sentiments, adding that the company had particularly lax protections for private information and security.

“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications,” Sierchio told Reveal. “It didn’t require anyone’s approval.”

During his time at the company, however, Spangenberg said Uber made efforts to improve its security provisions, like renaming the “God View” tool to “Heaven View” and utilizing special makers for high-profile, or “MVP” customers to prevent them from being spied on. However, he argued that the new features did little to protect non-MVP users.

An internal company email obtained by The Hill seemed to allude to the allegations made in the CIR Reveal report. “It’s absolutely untrue that all (or nearly all) employees have access to customer data. … Much of the information is out of date and doesn’t accurately reflect the state of our practices today,” it read read.

The email went on to assert that the company is continuously working to increase its security investments and regain consumer trust, because without it, “We have no business.”

Back to top