privacy – Uber Scandals

November 9, 2024

Fired Chief Security Officer Joe Sullivan

Mike Isaac’s Super Pumped (p.396) reports new Uber chief legal officer Tony West fired Chief Security Officer Joe Sullivan for the 2016 incident in which Sullivan paid a hacker who had infiltrated Uber systems. In West’s view, this was an improper payment, and Sullivan should have sought legal advice and informed authorities of the breach. In Sullivan’s view, paying a hacker was legitimate.

Uber asked Sullivan to sign a non-disparagement agreement in exchange for a severance payment. When Sullivan refused to sign, Uber leaked the story to a reporter, calling the payment a cover-up operation to pay off hackers and hide evidence from consumers. West’s view was vindicated when Sullivan was convicted of federal charges in 2022.

November 9, 2024November 9, 2024

Chief Security Officer Convicted of Obstruction

A federal jury convicted Joe Sullivan, former Chief Security Officer of Uber, for obstructing FTC proceedings in connection with his attempted cover-up of a 2016 hack of Uber. See the 2016 incident in which Sullivan paid a hacker who had infiltrated Uber systems.

A US Attorney’s Office press release explains:

[S]hortly after learning the extent of the 2016 breach and rather than reporting it to the FTC, any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC. For example, Sullivan told a subordinate that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist.” Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack. Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers had refused to provide their true names. Uber was ultimately able to identify the two hackers in January of 2017 and required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else. …

The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them. Instead, he touted the work that he and his team had done on data security. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016, supported fully by Sullivan, without disclosing the 2016 data breach to the FTC.

In Fall 2017, Uber’s new management began investigating facts surrounding the 2016 data breach. When asked by Uber’s new CEO that had happened, Sullivan lied, falsely telling the CEO that the hackers had only been paid after they were identified and deleting from a draft summary prepared by one of his reports that the hack had involved personally identifying information and a very large quantity of user data. Sullivan lied again to Uber’s outside lawyers conducting an investigation into the incident. Nonetheless, the truth about the breach was ultimately discovered by Uber’s new management, which disclosed the breach publicly, and to the FTC, in November 2017. …

In finding Sullivan guilty, the jury concluded he obstructed justice, in violation of 18 U.S.C. § 1505, and that he committed misprision of felony (i.e., knew that a federal felony had been committed and took affirmative steps to conceal that felony), in violation of 18 U.S.C. § 4.

In 2003, Sullivan was sentenced to three years’ probation and a $50,000 fine.

November 8, 2024

Tracked riders after rides ended

Mike Isaac’s Super Pumped (p. 232) reports that at Travis Kalanick’s instruction, Uber began to track riders even after they had ended their rides. Isaac describes no proper purpose for this tracking, but says Kalanick “wanted to gain insight into … where people went after getting dropped off.”

November 8, 2024November 8, 2024

2014 hack released data about drivers

Mike Isaac’s Super Pumped (p. 208, 215) reports a May 2014 hack in which the names and license numbers of more than 50,000 drivers were compromised. Uber kept the hack secret, although California law required notifying authorities of a data breach.

Under guidance from new Chief Security Joe Sullivan, Uber finally reported the breach in February 2015, nine months after it occurred.

November 8, 2024November 8, 2024

Circumvented Apple’s privacy protections on IMEI device IDs

Mike Isaac’s Super Pumped (p. 193, 200, 203-204) explains how Apple concealed phones’ IMEI device IDs, but Uber found a way to circumvent this protection. Uber’s tactic increased its defenses against fake account scammers, but violated Apple’s rules regarding user privacy. To increase the likelihood that they’d be able to use this tactic, Uber kept it a secret — plus designed its circumvention code with “geofencing” so it would not function for users in greater San Francisco. But when an Apple tester outside California tested Uber’s app, Apple uncovered Uber’s ruse. Apple was angry not just about the circumvention of its privacy protections, but about the affirmative effort to avoid detection. Apple ultimately told Uber that if it ever again attempted this kind of deception, it would be kicked off of Apple devices permanently.

November 7, 2024November 8, 2024

Employees hired a prostitute at a company event, leading to theft of work laptops

Mike Isaac’s Super Pumped (p.27) describes occurrences at an Uber employee event in Las Vegas:

One employee hired a pair of prostitutes to join him in his hotel room. The next morning, he and his roommate woke up with all of their belongings stolen, including their work laptops.

March 7, 2018April 12, 2018

Regulators sued Uber for failing to disclose data breaches

After a data breach in which hackers stole data from about 600,000 drivers globally, for which Uber paid a ransom to hackers but did not notify affected drivers, regulators pursued Uber’s violation of applicable law, including state laws about notifying those subject to data breaches.

The FTC filed a revised complaint adding additional concerns to a prior action against Uber. Uber responded by agreeing to expand its prior settlement with the FTC over charges that it deceived consumers about its privacy and data security practices. The FTC specifically criticized Uber for failing to disclose the breach to the FTC until November 2017, fully a year after the breach occurred, even though the FTC was already investigating other Uber data security practices.
Pennsylvania sued, threatening a penalty of up to $13.5 million ($1000 for each of the 13,500 Pennsylvania drivers affected).
The city of Chicago also sued (complaint), seeking $10,000 per day for each day that Uber violated the state’s disclosure ordinance, as well as $50,000 for violating the Illinois Consumer Fraud Act.

November 23, 2017December 8, 2017

Regulators criticized company’s cover-up of data breach

After a data breach exposed information about 57 million user accounts and Uber covered it up (including paying hackers a ransom), multiple regulators criticized Uber’s response.

The FTC said it was “closely evaluating the serious issues raised.”

The New York Attorney’s General office said it opened an investigation of Uber’s actions. The Massachusetts Attorney General reported “serious concerns” about Uber’s conduct. Attorneys general in New York, Illinois, and Connecticut also opened investigations, as did the city of Portland, Oregon.

The UK Information Commissioner’s Office pointed out that “Deliberately concealing breaches from regulators and citizens could attract higher fines.” Current British law imposes penalties up to 500,000 pounds for failing to notify users and regulators about data breaches. More than 2.7 million UK users were affected.

Mexico’s National Institute of Transparency, Access to Information and Protection of Personal Data also criticized the breach and Uber’s response, seeking information about effects on Mexican citizens.

In addition, Uber faced three class action lawsuits alleging that it was negligent in its failure to protect consumer data.

November 21, 2017November 8, 2024

Covered up 2016 hack, paid hackers to delete data, and failed to disclose to regulators

In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers). Details from Uber. A subsequent FTC investigation found that more than 25 million names and email addresses, and more than 22 million names and phone numbers, were affected.

Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.

Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.

Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”

Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).

Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.

Uber’s statement

In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.

October 8, 2017

Specal iPhone permission let Uber app see iPhone screen even when app not running

Security researcher Will Strafach found Uber’s app enjoying an unusual Apple iOS security permission not used by any other app. Called com.apple.private.allow-explicit-graphics-priority, this permission allowed Uber’s app to see what was on the user’s screen even if the Uber app was not active.

An Uber spokesperson explained the purpose of this security permission: “It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app.” The spokesperson continued: “Apple gave us this permission years because Apple Watch couldn’t handle our maps rendering.”

Uber indicated that it used the entitlement only in version 8.2 of its app, and that a subsequent update from Apple fixed the memory issue for Apple Watch and made this workaround unnecessary.