Driver names and license numbers improperly secured

In September 2014, Uber experienced a data breach resulting from an Uber engineer posting an access code which let an unauthorized third party accessed driver names and driver license numbers. Uber failed to notify affected drivers or the state of New York for seven months.

The New York Attorney General described the breach and Uber’s handling of the situation:

The Attorney General found that in early 2014 an Uber engineer posted an access ID for Uber’s third-party cloud storage on Github.com, a website designed to allow software engineers to collaborate. The post was accessible to the general public. On May 12, 2014, someone unaffiliated with Uber accessed the database that included Uber driver names and driver license numbers. Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and Schneiderman’s office until February 26, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office “in the most expedient time possible and without unreasonable delay.”

As part of a settlement with the New York Attorney General’s office, Uber promised to implement multi-factor authentication for any employee could to access especially sensitive rider personal information, among other improved data security practices. Uber also paid a $20,000 penalty for failing to timely notify drivers and the State of New York.

A subsequent FTC investigation and settlement found that more than 100,000 drivers were affected. The FTC reported that in addition to 100,000+ names and driver’s license numbers, Uber also revealed 215 names and bank account numbers with routing numbers, and 84 names and security numbers. Furthermore, the FTC found that Uber’s efforts to notify affected drivers were piecemeal and incomplete: The company initially notified less than half of the drivers affected, whereas others were notified some 16+ months later.

Litigation: driver assaulted passenger with a metal rod, yielding bleeding in brain

TMZ reported a lawsuit by a Chicago Uber passenger who says driver Munstr Abuseimi punched him repeatedly — then came back to his house with a metal rod which he used for further attacks. The passenger said he received a fractured left orbital, bleeding in his brain, concussion, and a dislocated jaw with nerve injury. Uber did not comment but said the driver no longer has access to the company’s app.

London police: Uber failed to report driver attacks

The Guardian reported a letter from the London Metropolitan Police’s taxi and private hire team, complaining that Uber failed to timely report drivers attacking passengers. “Had Uber notified police after the first offence, it would be right to assume that the second would have been prevented,” the letter explained. The letter said that Uber failed to report sexual assaults as well as an incident in which a driver “produced what was thought to be pepper spray during a road rage argument.”

High driver turnover

Citing internal Uber data, news site The Information reported (paid subscription required) that only 25% of drivers who passed Uber’s screening and drove at least one ride remained with Uber a year later. Many drivers report earning approximately $10 per hour after car maintenance and gas costs.

Knowingly leased recalled vehicles to drivers in Singapore

Uber knowingly leased recalled vehicles to its drivers in Singapore. A Wall Street Journal report (paid subscription required) describes a driver whose vehicle caught fire, due to the problem fixed by the recall, just after a passenger got out. WSJ explains:

News of the fire rippled through Uber’s Singapore office after its insurance provider said it wouldn’t cover the damage because of the known recall, emails show. Word reached Uber’s San Francisco executives two days later, emails show.

Uber’s lawyers in Singapore began assessing the legal liability, including possibly violating driver contracts for supplying faulty cars and failing to immediately inform the Land Transport Authority about the defective cars, emails show. “There is clearly a large safety/responsible actor/brand integrity/PR issue” for Uber, an internal report read.

Additional coverage from TechCrunch.

Overcharged commissions to New York drivers

For New York drivers, Uber took its commission based on gross fares including state taxes, rather than net fares after deduction of taxes. The New York Times estimated that this overcharged New York drivers by more than $200 million — and increased Uber’s revenue by the same amount.

A subsequent New York Times analysis compared Uber’s tax and billing practices across jurisdictions, examining receipts to assess irregularities and comparing changing contract language to understand Uber’s shifting approach.

Inconsistent positions as to driver employment status

Uber largely argues that drivers are not employees, allowing Uber to avoid paying payroll tax, providing workers’ compensation insurance, reimbursing employment-related expenses, and more.

But when Uber was sued for sending unsolicited text messages recruiting drivers, without recipients’ consent, Uber defended the messages on the grounds that they were offers of employment, which under federal law can be sent without a recipient’s consent.

Reduced tax obligations by classifying drivers as contractors, not employees

Uber classified drivers as contractors, not employees.  As a result, the company avoided withholding income tax from driver earnings, and avoided paying the employer’s share of payroll taxes.

The correctness of this classification is disputed via ongoing litigation in numerous jurisdictions. On July 12, 2017, Uber drivers in North Carolina won preliminary class-action status in a case brought under the Fair Labor Standards Act.