Covered up hack, paid hackers to delete data, and failed to disclose to regulators

In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers) (details).

Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.

Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.

Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”

Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).

Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.

Uber’s statement

In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.

Drivers in Nigeria use fake GPS to inflate fares

In Lagos, Nigeria, Uber drivers used apps to override phone GPS, causing Uber’s app to record a longer route than was actually taken and inflating the fares charged to passengers. Quartz reports many drivers inflating fares by 1000 to 2000 naira ($3 to $6), though some inflated far more than that.

Drivers reported using this tactic in response to Uber reducing the amount they were paid. They describe protesting unsuccessfully, and resorting to GPS trickery for lack of other ways to get the payment they thought they deserved.

Some drivers said Uber knew about their methods and allowed them to continue. One driver described the Uber app reporting “fake location detected” yet allowing the driver to proceed and charge an inflated fare.

Uber says it refunds all riders who report fraudulent activity.

Passenger steals driver’s tips; Uber declines to assist

After a passenger stole cash from a driver’s tip jar, caught in dashcam video, the driver contacted Uber to report the problem. Uber replied to note that the passenger denied the allegation. Uber continued:

If you believe the rider has your cash as captured from your dash cam and is refusing to return it, you may want to initiate a formal investigation via the police.

Facing subsequent media scrutiny, Uber indicated having banned the passenger from further use of Uber.

Female driver in UK claimed gender discrimination due to insufficient security

A female driver in the UK claimed gender discrimination in that Uber purportedly failed to provide sufficient security to female drivers. She complained that she had to accept a passenger’s request without knowing the destination in advance, and had no option to cancel requests to remote or unsafe destinations. She also complained that Uber would penalize her if she canceled a trip for an aggressive passenger or a passenger raising other safety concerns.

London Employment Tribunal determined that Uber drivers are employees

In response to a complaint from trade union GMB, the London Employment Tribunal determined that Uber drivers are employees.

Remarking “the lady doth protest too much, methinks” at Uber’s numerous contractual provisions insisting that drivers are not employees, the LET simultaneously looked at Uber’s various “unguarded moments” in which the company used terminology most consistent with employment status. Ultimately the LET said it is “unreal” to deny the “practical reality” that Uber provides transportation services, and in that context the LET found that the drivers must be employees.

The LET rejected as “ridiculous” the suggestion that Uber is “a mosaic of 30,000 small businesses linked by a common ‘platform.'” The LET rejected Uber’s claim of only providing driver with “leads.” For one, drivers have no opportunity to negotiate or bargain with passengers. The LET also examined the interaction between drivers and passengers, including when drivers learn the route and how payment occurs. The LET said all these factors indicate an employment relationship.

In a 13-item list, LET gathered factors indicating that drivers are employees, including those detailed above as well as Uber’s practice of interviewing and recruiting drivers, instructing drivers in various respects, setting routes, collecting ratings and imposing penalties, handling complaints, and having the power to amend the contract provisions of the relationship.

Informed by the finding that drivers are employees, the LET went on to analyze their rights as employees and Uber’s violations of those rights.

London Employment Tribunal determined that Uber unlawfully denied basic workers’ rights

Having determined that Uber drivers are employees, the London Employment Tribunal further determined that Uber unlawfully denied drivers certain basic rights guaranteed to all employees.

Among other rights, GMB alleged that Uber drivers were entitled to holiday pay, a guaranteed minimum wage, and breaks.

GMB specifically challenged the amount that drivers are paid. After deducting costs and fees, GMB found that members could make as little as 5 GBP per hour, well below the national minimum wage of 7.20 GBP. They also challenged Uber’s practice of deducting sums from drivers’ pay including in response to customer complaints.

LET also found that, contrary to Uber’s insistence that Netherlands law governs the relationship between Uber and its London drivers, in fact British law governs because the relationship “relevant to the situation” was the UK.

Uber appealed the decision. A judgment of the appeal is expected in late 2017.

Fuel Card duplicate charges

Uber provided some drivers with “fuel cards” usable for gasoline, carwashes, and other services, at a discount, with charges deducted from future Uber earnings. Multiple drivers reported duplicate charges. Representative quotes:

“Double charged for gas with Uber card. Same transaction. Exact same time and date stamp. You took double from my earnings…The rep last night said they have had multiple calls for this same issue. That it would be cleared up by midnight. Today it’s still not fixed and the rep said he couldn’t do anything about it! Uber this is unacceptable” (September 6, Facebook, Florida driver).

“Gas card is very funny…Something is fishy about how this card works. Once I was triple charged and no one caught on until I bought it to Uber attention and the fixed it. I no longer want to use card” (September 2017, YouTube, Curtis J.).

“I was looking over my transaction history and there is two gas card purchases. Same amounts/ days. I was charged twice for 1” (June 28, Twitter).

“Hey my uber gas card was charge 3 times at the same time and day, but different days each” (June 28, Twitter, Oregon driver).

“It’s been 4 days since I wrote to customer care to review my fuel card charges, there were duplicate charges on it and I was overcharged, I have sent screenshots of duplicate charges but so far I got only one reply yesterday with copy pasted text that has nothing to do with what I asked for.” (April 4, Facebook, New York driver).

Drivers reported heightened difficulty resolving the problems because Uber told them to contact FleetCor, which operated the fuel card program. FleetCor in turn told them to contact Uber.

Drivers also reported that Uber and FleetCor suggested that the drivers conduct their own investigations into the disputed transactions such as interviewing merchants and requesting refunds from merchants. Most drivers found these approaches untenable, particularly because the fraudulent charges could occur at distant merchants far from where the drivers lived.

A further challenge for drivers is that many did not know how to contact FleetCor. The Uber-provided FleetCor card does not include a customer service phone number. Drivers would need to find the number in the original card materials that provided in an envelope along with the card — easily overlooked or discarded.

An October 5, 2017 report from The Capitol Forum (paid subscription required) analyzed these concerns and tabulated these and numerous additional driver complaints.