A former Uber employee is suing the company for whistleblower retaliation, exposing a startling set of claims about data privacy practices within the San Francisco-based corporation. At 45, Ward Spangenberg is a seasoned infosec expert who reportedly discovered extremely lax policy in data protection, retention and security — and how near-universal internal access to detailed personal information is compromising all Uber riders.
First up in Spangenburg’s declaration is that “payroll information for all Uber employees was contained in an unsecured Google spreadsheet”.
He says that Uber collects “a myriad of data” about its customers, including names, emails, social security numbers, locations, device types, and “other data that the user may or may not know they were even providing to Uber by requesting a ride”. Furthermore,
Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high-profile politicians, celebrities and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses. I also reported that […] allowing all employees to access this information (as opposed to a small security team) was resulting in a violation of governmental regulations regarding data protection and consumer privacy rights.
Such a wealth of personal information, available to all “without regard to any particular employment or security clearance” would make a mockery of Uber’s Vulnerability Management Policy, which “specifically stated, in writing” that:
the policy could not be followed if Uber deemed there was a “legitimate business purpose” for not doing so, or if a Director level employee or above permitted such an exception.
Finally, Uber “routinely deleted files which were subject to litigation holds,” while its Incident Response Team
would be called when governmental agencies raided Uber’s offices due to concerns regarding noncompliance with governmental regulations. In those instances, Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber’s information. I would then be tasked with purchasing all new equipment for the office within the day, which I did when Uber’s Montreal office was raided.
Spangenburg was reportedly “also a point person when foreign government agencies raided company offices abroad,” remotely encrypting office computers from Uber’s San Francisco HQ.
“My job was to just make sure that any time a laptop was seized, the protocol locked the laptops up,” he said.
You can read Will Evans‘s excellent article on the story here. Ward Spangenberg’s full declaration can be read here.