Covered up hack, paid hackers to delete data, and failed to disclose to regulators

In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers) (details).

Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.

Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.

Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”

Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).

Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.

Uber’s statement

In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.

Drivers in Nigeria use fake GPS to inflate fares

In Lagos, Nigeria, Uber drivers used apps to override phone GPS, causing Uber’s app to record a longer route than was actually taken and inflating the fares charged to passengers. Quartz reports many drivers inflating fares by 1000 to 2000 naira ($3 to $6), though some inflated far more than that.

Drivers reported using this tactic in response to Uber reducing the amount they were paid. They describe protesting unsuccessfully, and resorting to GPS trickery for lack of other ways to get the payment they thought they deserved.

Some drivers said Uber knew about their methods and allowed them to continue. One driver described the Uber app reporting “fake location detected” yet allowing the driver to proceed and charge an inflated fare.

Uber says it refunds all riders who report fraudulent activity.

Blind couple says Uber denied them a ride, dragged one down the street

A Boston couple reported that Uber denied them a ride because they were traveling with a service dog.

The Boston Globe reports that after being denied service, one of the passengers got his hand caught in the window and was dragged about 15 feet, causing road rash and requiring five stitches.

Uber said the driver was removed, and noted that drivers are rqeuired to accommodate service animals.

Specal iPhone permission let Uber app see iPhone screen even when app not running

Security researcher Will Strafach found Uber’s app enjoying an unusual Apple iOS security permission not used by any other app. Called com.apple.private.allow-explicit-graphics-priority, this permission allowed Uber’s app to see what was on the user’s screen even if the Uber app was not active.

An Uber spokesperson explained the purpose of this security permission: “It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app.” The spokesperson continued: “Apple gave us this permission years because Apple Watch couldn’t handle our maps rendering.”

Uber indicated that it used the entitlement only in version 8.2 of its app, and that a subsequent update from Apple fixed the memory issue for Apple Watch and made this workaround unnecessary.

London Police said Uber “aware of criminal activity and yet haven’t informed the police”

In an April 2017 letter, the London Metropolitan Police questioned why Uber had not notified the police about criminal offenses known to Uber. The Police reported Uber refusing to provide information within its custody unless the police submit a formal request, and also refusing to report crime to the police because such reports may breach rights of a passenger. The Police questioned Uber’s approach, saying that Uber is “allowing situations to develop” that affect public safety, and noting also that the extra steps Uber calls for can impede prompt prosecution and ultimately lead perpetrators to go free.

The letter’s conclusion:

The significant concern I am raising is that Uber have been made aware of criminal activity and yet haven’t informed the police. Uber are however proactive in reporting lower level document frauds to both the MPS and LTPH. My concern is twofold, firstly it seems they are deciding what to report (less serious matters / less damaging to reputation over serious offences) and secondly by not reporting to police promptly they are allowing situations to develop that clearly affect the safety and security of the public.

Passengers claim they were wrongly charged cleaning fees

Numerous passengers reported being charged cleaning fees, $50 to $150 or more, despite not making messes. Drivers can report that passengers caused messes (spilled drinks, urine, vomit, etc.) and receive compensation. But Uber has limited methods to assess whether drivers’ reports are accurate. Some passengers claimed that drivers sent false pictures or pictures taken on other occasions.

The Better Business Bureau said it has received more than 130 complaints about cleaning fees.

Details from CBS Philadelphia