Driver names and license numbers improperly secured

In September 2014, Uber experienced a data breach resulting from an Uber engineer posting an access code which let an unauthorized third party accessed driver names and driver license numbers. Uber failed to notify affected drivers or the state of New York for seven months.

The New York Attorney General described the breach and Uber’s handling of the situation:

The Attorney General found that in early 2014 an Uber engineer posted an access ID for Uber’s third-party cloud storage on Github.com, a website designed to allow software engineers to collaborate. The post was accessible to the general public. On May 12, 2014, someone unaffiliated with Uber accessed the database that included Uber driver names and driver license numbers. Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and Schneiderman’s office until February 26, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office “in the most expedient time possible and without unreasonable delay.”

As part of a settlement with the New York Attorney General’s office, Uber promised to implement multi-factor authentication for any employee could to access especially sensitive rider personal information, among other improved data security practices. Uber also paid a $20,000 penalty for failing to timely notify drivers and the State of New York.

A subsequent FTC investigation and settlement found that more than 100,000 drivers were affected. The FTC reported that in addition to 100,000+ names and driver’s license numbers, Uber also revealed 215 names and bank account numbers with routing numbers, and 84 names and security numbers. Furthermore, the FTC found that Uber’s efforts to notify affected drivers were piecemeal and incomplete: The company initially notified less than half of the drivers affected, whereas others were notified some 16+ months later.

Inferior access to passengers who use wheelchairs (New York City)

A July 2017 complaint, filed by the nonprofit legal group Disability Rights Advocates in New York, criticized Uber’s failure to include wheelchair-accessible vehicles in its standard UberX fleet, claiming that 99.9% of Uber’s vehicles were inaccessible to people with mobility disabilities, in violation of New York’s anti-discrimination laws.

The lawsuit alleged that Uber riders who need wheelchair-accessible vehicles face significantly longer wait times than other passengers, and that at some periods and in some places, no wheelchair-accessible vehicles are available at all.

The lawsuit further alleged that passengers attempting to use Uber’s accessible service face extended wait times, or are denied access to
the service altogether, which the plaintiffs said reveals that the accessible service was “window-dressing designed to avoid government regulation and legal requirements” and insufficient under law.

Overcharged commissions to New York drivers

For New York drivers, Uber took its commission based on gross fares including state taxes, rather than net fares after deduction of taxes. The New York Times estimated that this overcharged New York drivers by more than $200 million — and increased Uber’s revenue by the same amount.

A subsequent New York Times analysis compared Uber’s tax and billing practices across jurisdictions, examining receipts to assess irregularities and comparing changing contract language to understand Uber’s shifting approach.

Recruited drivers with exaggerated earnings claims

The Federal Trade Commission flagged Uber exaggerating the yearly and hourly income drivers could make in certain cities. For example, Uber claimed on its site that uberX drivers’ annual median income was more than $90,000 in New York and more than $74,000 in San Francisco — but the FTC found that the actual medians were $61,000 and $53,000 respectively, and that less than 10 percent of all drivers in those cities earned the amounts Uber touted.

The FTC also alleged that Uber made false hourly earnings claims in job listings on Craigslist and elsewhere. In eighteen different cities where Uber advertised hourly earnings on Craigslist, fewer than 30% of drivers earned the promised amount. In some cities, as few as 10% of drivers earned the promised amount. Details in the FTC’s complaint.

Uber paid $20 million to settle these claims (along with claims about vehicle financing terms). The funds were used to provide refunds to affected drivers.

Underpaid New York drivers

By retaining commissions 2.6% beyond the amount specified in the applicable contract, Uber underpaid drivers in New York.  Jim Conigliaro, founder of the Independent Drivers’ Guild, called Uber’s actions “theft.”  Engadget reported that the amount averaged $900 per driver, yielding a total overcharge of more than $40 million.

2015 contract revisions indicate that Uber knew it was wrongly taking commission on gross fares, thereby overcharging drivers, though the company denied that allegation.

Blocked regulators’ investigations by sending bogus data

Through its “Greyball” system, Uber attempted to identify officials investigating its methods, including noting accounts created from within or near regulators’ offices and rides requested from those areas.  When a user was classified as affiliated with a regulator, Uber intentionally denied that user’s requests, declining to send a driver—preventing the regulator from finding drivers and bringing enforcement actions against drivers or Uber.

The US Department of Justice launched a criminal probe into Uber about this practice.

The New York Times reported that at least 50 people inside Uber knew about these tactics, and that the  program was approved by then-General Counsel Salle Yoo.

Litigation by Uber investor Benchmark Capital reported that, as of August 2017, Uber faced Greyball-related regulatory inquiries in Portland, Oregon; subpoenas from US Attorneys in California and New York; various other city and state inquiries; and an inquiry from the European parliament.

In September 2017, Portland finished its investigation, finding that Uber had used Greyball to block 29 ride requests by 16 government officials whose job it was to regulate Uber.

Portland Bureau of Transportation Audit of Greyball including full audit report