Samuel Ward Spangenberg is suing his former employer, minicab firm Uber, claiming that he suffered age discrimination and retaliation after whistleblowing on some of the company’s practices.
As The Center for Investigative Reporting describes, Uber’s former forensic investigator claims that staff regularly snooped on customer records in order to spy on the movements of celebrity customers, ex-partners and spouses.
One of those allegedly snooped upon was pop superstar Beyoncé.
In a court statement, Spangenberg claimed that access to the alleged ‘God View’ was not tightly controlled:
“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high-profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends and ex-spouses.”
“I also reported that Uber’s lack of security, and allowing all employees to access this information (as opposed to a small security team) was resulting in a violation of governmental regulations regarding data protection.”
Michael Sierchio, a security engineer who worked at Uber until June 2016 confirmed Spangenberg’s allegations that customers were being spied upon:
“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications. It didn’t require anyone’s approval.”
If true, that’s pretty disturbing, and suggests a lax attitude to privacy and security at Uber.
Although not wishing to comment on an active legal case, Uber has issued a statement to the media:
“It’s absolutely untrue that ‘all’ or ‘nearly all’ employees have access to customer data, with or without approval. And this is based on more than simply the ‘honor system’: we have built [an] entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs.”
Hmm. I notice that Uber is saying that it’s untrue that ‘nearly all’ employees have access to customer data.
The company could perhaps have been more reassuring if it hadn’t used the present tense but instead said “It’s absolutely untrue that ‘all’ or ‘nearly all’ employees have or have ever had access to customer data…”
But, for whatever reason, they didn’t say that.
Readers with long memories may recall the claim that in the early days of Facebook it was possible to access anybody’s account by using the password “Chu[k N0rr15” (Chuck Norris).
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.