Misrepresented its monitoring of employee access to data, steps taken to secure data

In a press release, the FTC summarized its privacy-related complaint against Uber.

For example, Uber told the public that the company “has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes.” Uber claimed access was “closely monitored and audited by data security specialists on an ongoing basis.” Uber made strong claim in its privacy policy such as “We use the most up to date technology and services” to protect customer data, and “we’re extra vigilant in protecting” customer data” via “the highest security standards available.”

In contrast, the FTC found that Uber “has not always closely monitored and audited its employees’ access to Rider and Driver accounts” in that the security system “was not designed or staffed … effectively.” The FTC continued: “In approximately August 2015, Respondent ceased using the automated system it had developed in December 2014 and began to develop a new automated monitoring system. From approximately August 2015 until May 2016, Respondent did not timely follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately the first six months of this period, Respondent only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives.”

The FTC also criticized Uber for letting engineers use shared access keys with full administrative privileges to all data in Uber’s Amazon Web Services database, rather than requiring that each program and each engineer use a separate key. Uber further failed to restrict access based on employees’ job functions, and failed to require multi-factor authentication to access data. Until March 2015, Uber stored sensitive personal information in AWS in clear text without encryption.

Driver names and license numbers improperly secured

In September 2014, Uber experienced a data breach resulting from an Uber engineer posting an access code which let an unauthorized third party accessed driver names and driver license numbers. Uber failed to notify affected drivers or the state of New York for seven months.

The New York Attorney General described the breach and Uber’s handling of the situation:

The Attorney General found that in early 2014 an Uber engineer posted an access ID for Uber’s third-party cloud storage on Github.com, a website designed to allow software engineers to collaborate. The post was accessible to the general public. On May 12, 2014, someone unaffiliated with Uber accessed the database that included Uber driver names and driver license numbers. Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and Schneiderman’s office until February 26, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office “in the most expedient time possible and without unreasonable delay.”

As part of a settlement with the New York Attorney General’s office, Uber promised to implement multi-factor authentication for any employee could to access especially sensitive rider personal information, among other improved data security practices. Uber also paid a $20,000 penalty for failing to timely notify drivers and the State of New York.

A subsequent FTC investigation and settlement found that more than 100,000 drivers were affected. The FTC reported that in addition to 100,000+ names and driver’s license numbers, Uber also revealed 215 names and bank account numbers with routing numbers, and 84 names and security numbers. Furthermore, the FTC found that Uber’s efforts to notify affected drivers were piecemeal and incomplete: The company initially notified less than half of the drivers affected, whereas others were notified some 16+ months later.

Controlled substances used at work and during work hours

As part of a review by former attorney general Eric Holder, a report recommended that Uber “take steps to … prohibit the use of controlled substances, including … prohibiting consumption of non-prescription controlled substances during core work hours, at work events, or at other work-sponsored events.” The report was based on an assessment of actual practices and problems — indicating that the review team found evidence of use of controlled substances during core work hours and at work events.

Mike Isaac’s Super Pumped is in accord: “Managers were doing drugs with their subordinates–cocaine, marijuana, and ecstasy” (p.27).

Passengers used Uber for drug deals

Vice reports passengers using Uber to pick up and distribute drugs. For example, in January 2015, two passengers in Los Angeles were found to be holding $2,000 of drugs and were using Uber to get to a drug transaction. Vice reports three other criminal cases involving Uber and drug dealing.

When Uber driver stole passenger’s bag, Uber falsely told police that the trip did not occur

Uber passenger Dane Wilcox reports the saga of a ride in an Uber in Boston. He told the driver he was leaving a bag in the passenger compartment as he unloaded luggage from the trunk — but then the driver drove off. When the driver didn’t return his calls or voicemails, he sought assistance from Uber and ended up filing a small claims lawsuit against Uber.

Meanwhile, in response to Wilcox’s police report, an officer tried to investigate, but Uber falsely told the investigating detective that the driver at issue had not worked for Uber for two years, and that the company had no record of the ride — both provably false. Based on these false statements which impeded the investigation, the small claims court awarded Wilcox the full $4000 he sought.

See also coverage by Ars Technica.

Litigation: driver assaulted passenger with a metal rod, yielding bleeding in brain

TMZ reported a lawsuit by a Chicago Uber passenger who says driver Munstr Abuseimi punched him repeatedly — then came back to his house with a metal rod which he used for further attacks. The passenger said he received a fractured left orbital, bleeding in his brain, concussion, and a dislocated jaw with nerve injury. Uber did not comment but said the driver no longer has access to the company’s app.

London police: Uber failed to report driver attacks

The Guardian reported a letter from the London Metropolitan Police’s taxi and private hire team, complaining that Uber failed to timely report drivers attacking passengers. “Had Uber notified police after the first offence, it would be right to assume that the second would have been prevented,” the letter explained. The letter said that Uber failed to report sexual assaults as well as an incident in which a driver “produced what was thought to be pepper spray during a road rage argument.”

Other investors asked Benchmark to sell its shares and exit Uber’s Board

In response to a Delaware lawsuit by Uber investor Benchmark Capital Partners, other investors in Uber asked Benchmark to sell its shares and step down from Uber’s board. Full letter from the other investors. In part:

We do not feel it was either prudent or necessary from the standpoint of shareholder value, to hold the company hostage to a public relations disaster by demanding Mr. Kalanick’s resignation, along with other concessions … Accordingly, we would request that Benchmark help the Company realize its full potential by allowing the necessary work to be done in the Board Room rather than the Courtroom.

Axios summarized the situation: “It was shocking enough for a major venture capital firm to sue the CEO of a highly-valuable portfolio company. For other VC firms to then make this sort of counter-move against a peer is similarly unprecedented. It’s a brave new world in Silicon Valley.”

High driver turnover

Citing internal Uber data, news site The Information reported (paid subscription required) that only 25% of drivers who passed Uber’s screening and drove at least one ride remained with Uber a year later. Many drivers report earning approximately $10 per hour after car maintenance and gas costs.