Uber accused of hording a gaggle of stalkers

An ex-Uber employee has unleashed numerous claims the internet innovator is harbouring a horde of stalkers and security protocols which makes Yahoo look like Fort Knox.

The accusations have come from former employee Ward Spangenberg who happens to be in the process of suing the company for age discrimination and whistle-blower retaliation. Spangenberg claims numerous employees were using customer data to track celebrities, politicians and also personal connections, including ex-girlfriends and ex-boyfriends. It is claimed all employees had access to this data, as opposed to a small, accountable security team.

“I complained that Uber did not have regard for data protection, including, among other items, that payroll information for all Uber employees was contained in an unsecure Google spreadsheet,” said Spangenberg in a court declaration. “I also reported that Uber’s lack of security regarding its consumer data was resulting in Uber employees being able to track high profile politicians, celebrities and even personal acquaintances of Uber employees.”

Spangenberg’s role at Uber was in the security department, where he assisted in developing numerous new teams and functions including security response, information security operations forensics, compliance, eDiscovery, and investigations. Primarily Spangenberg was tasked with developing new security procedures and responding to problems from around the world.

While the accusation will come as a shock to many customers around the world, Uber has been in hot water surrounding its tracking of customers before. Two years ago it was revealed executives could track customers through the ‘God View’ feature, and only a couple of weeks ago it was revealed the app was continuing to collect data from the customer after it has been closed down. Despite numerous promises from the Uber team it is taking its data protection responsibilities seriously, Spangenberg paints a different picture.

“I also reported that Uber’s lack of security, and allowing all employees access to this information was resulting in a violation of governmental regulations regarding data protection and consumer rights,” said Spangenberg.

Uber does have a Vulnerability Management Policy which is designed to prevent such abuse, though there are conditions where customers can be tracked. If it was considered there was a ‘legitimate business purpose’ or permission from someone at Director level or above, the policy could be ignored. The lack of definition or specification on what would be considered a ‘legitimate business purpose’ gives a wide berth for wiggle room, and effectively negates the Vulnerability Management Policy itself.

While the indifference to customer data protection is worrying, it also extends to its own employees. Personal information such as social security numbers was available to all employees in Uber, as it was stored in a relatively simple, unsecured Google spreadsheet. Little thought was given to security or clearance as to who could access the information.

The final accusation, which could land Uber in some serious trouble, focuses around the roadblocks it put up when being raided by government agencies. When an office was raided by agencies investigating regulatory noncompliance, connectivity was shut down to prevent investigators gaining access to Uber’s servers.

Spangenberg also claims Uber purposely deleted information which was subject to litigation holds, which, if found to be true, could have some serious consequences for the management team. We’re talking a little bit more than a slap on the wrist here, this is contempt of court. These accusations are seeming like they could lead towards prison sentences.

For those who are not as familiar with the on-going data protection saga and maybe do not understand why there has been such a fuss over the fall of Safe Harbour and its successor EU-US Privacy Shield, this is a prime example of what European data privacy advocates are trying to avoid. It would be unfair to say the rest of the world is perfect and all data privacy violations happen in the States, though it does seem to happen in The Land of the Free quite often…