Regulators criticized company’s cover-up of data breach

After a data breach exposed information about 57 million user accounts and Uber covered it up (including paying hackers a ransom), multiple regulators criticized Uber’s response.

The FTC said it was “closely evaluating the serious issues raised.”

The New York Attorney’s General office said it opened an investigation of Uber’s actions. The Massachusetts Attorney General reported “serious concerns” about Uber’s conduct. Attorneys general in New York, Illinois, and Connecticut also opened investigations, as did the city of Portland, Oregon.

The UK Information Commissioner’s Office pointed out that “Deliberately concealing breaches from regulators and citizens could attract higher fines.” Current British law imposes penalties up to 500,000 pounds for failing to notify users and regulators about data breaches. More than 2.7 million UK users were affected.

Mexico’s National Institute of Transparency, Access to Information and Protection of Personal Data also criticized the breach and Uber’s response, seeking information about effects on Mexican citizens.

In addition, Uber faced three class action lawsuits alleging that it was negligent in its failure to protect consumer data.

Covered up hack, paid hackers to delete data, and failed to disclose to regulators

In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers) (details).

Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.

Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.

Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”

Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).

Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.

Uber’s statement

In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.

Specal iPhone permission let Uber app see iPhone screen even when app not running

Security researcher Will Strafach found Uber’s app enjoying an unusual Apple iOS security permission not used by any other app. Called com.apple.private.allow-explicit-graphics-priority, this permission allowed Uber’s app to see what was on the user’s screen even if the Uber app was not active.

An Uber spokesperson explained the purpose of this security permission: “It was used for an old version of the Apple Watch app, specifically to run the heavy lifting of rendering maps on your phone & then send the rendering to the Watch app.” The spokesperson continued: “Apple gave us this permission years because Apple Watch couldn’t handle our maps rendering.”

Uber indicated that it used the entitlement only in version 8.2 of its app, and that a subsequent update from Apple fixed the memory issue for Apple Watch and made this workaround unnecessary.

Misrepresented its monitoring of employee access to data, steps taken to secure data

In a press release, the FTC summarized its privacy-related complaint against Uber.

For example, Uber told the public that the company “has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes.” Uber claimed access was “closely monitored and audited by data security specialists on an ongoing basis.” Uber made strong claim in its privacy policy such as “We use the most up to date technology and services” to protect customer data, and “we’re extra vigilant in protecting” customer data” via “the highest security standards available.”

In contrast, the FTC found that Uber “has not always closely monitored and audited its employees’ access to Rider and Driver accounts” in that the security system “was not designed or staffed … effectively.” The FTC continued: “In approximately August 2015, Respondent ceased using the automated system it had developed in December 2014 and began to develop a new automated monitoring system. From approximately August 2015 until May 2016, Respondent did not timely follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately the first six months of this period, Respondent only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives.”

The FTC also criticized Uber for letting engineers use shared access keys with full administrative privileges to all data in Uber’s Amazon Web Services database, rather than requiring that each program and each engineer use a separate key. Uber further failed to restrict access based on employees’ job functions, and failed to require multi-factor authentication to access data. Until March 2015, Uber stored sensitive personal information in AWS in clear text without encryption.

Driver names and license numbers improperly secured

In September 2014, Uber experienced a data breach resulting from an Uber engineer posting an access code which let an unauthorized third party accessed driver names and driver license numbers. Uber failed to notify affected drivers or the state of New York for seven months.

The New York Attorney General described the breach and Uber’s handling of the situation:

The Attorney General found that in early 2014 an Uber engineer posted an access ID for Uber’s third-party cloud storage on Github.com, a website designed to allow software engineers to collaborate. The post was accessible to the general public. On May 12, 2014, someone unaffiliated with Uber accessed the database that included Uber driver names and driver license numbers. Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and Schneiderman’s office until February 26, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office “in the most expedient time possible and without unreasonable delay.”

As part of a settlement with the New York Attorney General’s office, Uber promised to implement multi-factor authentication for any employee could to access especially sensitive rider personal information, among other improved data security practices. Uber also paid a $20,000 penalty for failing to timely notify drivers and the State of New York.

A subsequent FTC investigation and settlement found that more than 100,000 drivers were affected. The FTC reported that in addition to 100,000+ names and driver’s license numbers, Uber also revealed 215 names and bank account numbers with routing numbers, and 84 names and security numbers. Furthermore, the FTC found that Uber’s efforts to notify affected drivers were piecemeal and incomplete: The company initially notified less than half of the drivers affected, whereas others were notified some 16+ months later.

Tracked driver activity on Lyft servers

News site The Information in April 2017 reported that Uber built a program it called “Hell” to track how many Lyft drivers were available, where they were located, and whether they drove for Uber also.  Uber then targeted these drivers with special promotions to encourage them to use Uber only.

By all indications, Uber collected data for “Hell” by connecting to Lyft’s servers in a manner prohibited by Lyft’s Terms of Service.

The Information reported that Uber then-CEO Travis Kalanick personally praised the Hell team, saying that they demonstrated Uber’s culture in their willingness to “hustle” in order to win.

In September 2017, the Wall Street Journal reported the FBI investigating Uber’s “Hell” practices.

Bloomberg reports that Hell was overseen by Joe Sullivan, Chief Security Officer of Uber, through a team formerly known as Competitive Intelligence.

See also the “Surfcam” program whereby Uber tracked data from Grab.

“Fingerprinting” iPhones to track reinstalls

In 2015, Uber added code to its iPhone app to recognize when it had been deleted on a phone, then reinstalled.  The New York Times said this method “violated Apple’s privacy guidelines” and reported that Uber CEO Travis Kalanick was summoned to meet Apple CEO Tim Cook, who insisted that Uber cease the practice or be removed from Apple’s App Store.

Tracked users when app runs in the background

A May 2015 change in Uber’s privacy policy allows the company to access users’ locations even when the app is running in the background.  Uber described this as “get[ting] people on their way more quickly.”  But it also sharply increased the private information sent to Uber.

Details in a 2015 complaint from the Electronic Privacy Information Center, submitted to the FTC.  Recode in June 2017 reported the FTC opening an inquiry.

“God View” let Uber staff see any passenger’s activity

An Uber employee told a visiting journalist that he had tracked her, leading her to uncover an internal company tool called “God View” that let Uber staff see the travels of any passenger including both real-time and historic location, all without the passenger’s knowledge.

Uber granted job candidates provisional access to the same customer location data provided to full-time employees.  One candidate reported having this access for an entire day, even after the interview ended.  He admitted searching for records of people he knew, including politicians’ relatives.

User also displayed customer data to members of the public invited to its premises.  At a 2011 party celebrating Uber’s launch in Chicago, Uber let guests visually track passenger rides, without users’ permission or knowledge.