Uber ‘God View’ allowed staff to spy on high-profile politicians, ex-partners and Beyoncé, court hears

Whistleblower claims taxi firm was lax in its security.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Uber 'God View' allowed staff to spy on high-profile politicians, ex-partners and even Beyoncé, court hears

Samuel Ward Spangenberg is suing his former employer, minicab firm Uber, claiming that he suffered age discrimination and retaliation after whistleblowing on some of the company’s practices.

As The Center for Investigative Reporting describes, Uber’s former forensic investigator claims that staff regularly snooped on customer records in order to spy on the movements of celebrity customers, ex-partners and spouses.

One of those allegedly snooped upon was pop superstar Beyoncé.

Sign up to our free newsletter.
Security news, advice, and tips.

In a court statement, Spangenberg claimed that access to the alleged ‘God View’ was not tightly controlled:

“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high-profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends and ex-spouses.”

“I also reported that Uber’s lack of security, and allowing all employees to access this information (as opposed to a small security team) was resulting in a violation of governmental regulations regarding data protection.”

Michael Sierchio, a security engineer who worked at Uber until June 2016 confirmed Spangenberg’s allegations that customers were being spied upon:

“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications. It didn’t require anyone’s approval.”

If true, that’s pretty disturbing, and suggests a lax attitude to privacy and security at Uber.

Although not wishing to comment on an active legal case, Uber has issued a statement to the media:

“It’s absolutely untrue that ‘all’ or ‘nearly all’ employees have access to customer data, with or without approval. And this is based on more than simply the ‘honor system’: we have built [an] entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs.”

Hmm. I notice that Uber is saying that it’s untrue that ‘nearly all’ employees have access to customer data.

The company could perhaps have been more reassuring if it hadn’t used the present tense but instead said “It’s absolutely untrue that ‘all’ or ‘nearly all’ employees have or have ever had access to customer data…”

But, for whatever reason, they didn’t say that.

Readers with long memories may recall the claim that in the early days of Facebook it was possible to access anybody’s account by using the password “Chu[k N0rr15” (Chuck Norris).


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.