All

Posted on

Regulators criticized company’s cover-up of data breach

After a data breach exposed information about 57 million user accounts and Uber covered it up (including paying hackers a ransom), multiple regulators criticized Uber’s response.

The FTC said it was “closely evaluating the serious issues raised.”

The New York Attorney’s General office said it opened an investigation of Uber’s actions. The Massachusetts Attorney General reported “serious concerns” about Uber’s conduct. Attorneys general in New York, Illinois, and Connecticut also opened investigations, as did the city of Portland, Oregon.

The UK Information Commissioner’s Office pointed out that “Deliberately concealing breaches from regulators and citizens could attract higher fines.” Current British law imposes penalties up to 500,000 pounds for failing to notify users and regulators about data breaches. More than 2.7 million UK users were affected.

Mexico’s National Institute of Transparency, Access to Information and Protection of Personal Data also criticized the breach and Uber’s response, seeking information about effects on Mexican citizens.

In addition, Uber faced three class action lawsuits alleging that it was negligent in its failure to protect consumer data.

Posted on

Covered up 2016 hack, paid hackers to delete data, and failed to disclose to regulators

In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers). Details from Uber. A subsequent FTC investigation found that more than 25 million names and email addresses, and more than 22 million names and phone numbers, were affected.

Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.

Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.

Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”

Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).

Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.

Uber’s statement

In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.

Posted on

Drivers in Nigeria use fake GPS to inflate fares

In Lagos, Nigeria, Uber drivers used apps to override phone GPS, causing Uber’s app to record a longer route than was actually taken and inflating the fares charged to passengers. Quartz reports many drivers inflating fares by 1000 to 2000 naira ($3 to $6), though some inflated far more than that.

Drivers reported using this tactic in response to Uber reducing the amount they were paid. They describe protesting unsuccessfully, and resorting to GPS trickery for lack of other ways to get the payment they thought they deserved.

Some drivers said Uber knew about their methods and allowed them to continue. One driver described the Uber app reporting “fake location detected” yet allowing the driver to proceed and charge an inflated fare.

Uber says it refunds all riders who report fraudulent activity.

Posted on

“Stack ranking” employee ratings allegedly disadvantage women

A former Uber engineer sued the company, alleging that its “stack ranking” system of evaluating employees had an unfair and disproportionate impact on women.

Bloomberg reported on research about stack ranking:

Academic researchers have found that performance rating systems like stack rankings play to managers’ unconscious — and conscious — biases. Reviewing a decade of performance reviews at a “large professional services firm,” Paola Cecchi-Dimeglio, a senior research fellow at Harvard Law School, found that women were 1.4 times more likely than men to receive critical feedback in highly subjective categories.

For example, in one pair of reviews a female employee was described as having “analysis paralysis.” A man with the same behavior was praised for his careful thoughtfulness. “There is a lot of bias in the system, more than in the people,” Cecchi-Dimeglio said.

Microsoft faced similar litigation in 2015, and Goldman Sachs in 2010. Both those companies ended the practice, as did Uber before the filing of this lawsuit.

Litigation docket including complaint.

Posted on

Passenger steals driver’s tips; Uber declines to assist

After a passenger stole cash from a driver’s tip jar, caught in dashcam video, the driver contacted Uber to report the problem. Uber replied to note that the passenger denied the allegation. Uber continued:

If you believe the rider has your cash as captured from your dash cam and is refusing to return it, you may want to initiate a formal investigation via the police.

Facing subsequent media scrutiny, Uber indicated having banned the passenger from further use of Uber.

Posted on

Blind couple says Uber denied them a ride, dragged one down the street

A Boston couple reported that Uber denied them a ride because they were traveling with a service dog.

The Boston Globe reports that after being denied service, one of the passengers got his hand caught in the window and was dragged about 15 feet, causing road rash and requiring five stitches.

Uber said the driver was removed, and noted that drivers are rqeuired to accommodate service animals.

Posted on

Autonomous vehicles made unsafe and unlawful turns through bike lanes

When Uber’s autonomous cars were driving in San Francisco, they violated state law as to treatment of bike lanes. The Verge explains:

San Francisco Bicycle Coalition … executive director, Brian Weidenmeier … said he twice saw an Uber car in self-driving mode make an “unsafe right-hook-style turn through a bike lane” during a trial of the service on Monday last week. Rather than merging into bike lanes early to make right-hand turns, as per California state law, the Uber vehicle reportedly pulled across the bike lanes at the last second, risking collisions with oncoming cyclists.

Weidenmeier explained further in a post with diagrams and citations to applicable California law.

Uber admitted that its autonomous vehicles have a “problem” with their treatment of bike lanes.

Proudly powered by WordPress