A former Uber employee is alleging in a California lawsuit that a lack of security measures allowed employees to spy on riders through their Uber accounts.
“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” Samuel Ward Spandenberg, a former forensic investigator for Uber, who is suing the company for wrongful termination, said in a court declaration filed in October.
"Uber collected data regarding every ride a user requested, their username, the location the ride was requested from, the amount they paid, the device used to request the ride (i.e., iPhone, Droid, etc.), the name and email of the customer, and a myriad of other data that the user may or may not know they were even providing to Uber by requesting a ride," Spandenberg added.
Barbari Figar, Spandenberg’s attorney, told ABC News, “The data that was included in that, included the trip origin, trip destination, route taken, what type of Uber.”
Spandenberg said that while he worked at Uber he reported his concerns over the company's security issues.
The company later fired him, citing that he violated their code of conduct and re-imaged his laptop, but he alleges that the reason he was fired was for making complaints about their data security, and he sued for wrongful termination. Uber denied these claims in court documents.
John Flynn, Uber's chief information security officer, denied Spandenberg's allegations in a statement to ABC News saying, "It’s absolutely untrue that 'all' or 'nearly all' employees have access to customer data, with or without approval. And this is based on more than simply the 'honor system': we have built entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs. This could include multiple steps of approval—by managers and the legal team—to ensure there is a legitimate business case for providing access."
Flynn added that the company "continues to increase our security investments."
"This includes enforcing strict policies and technical controls to limit access to user data to authorized employees solely for purposes of their job responsibilities, and all potential violations are quickly and thoroughly investigated," Flynn said. "What’s more, if an employee has access to some customer data, she does not have access to all customer data. Access is granted to specific types of data based on an employee’s role. All data access is logged and routinely audited, and all potential violations are quickly and thoroughly investigated."
The lawsuit, which was filed in May, is currently in arbitration, but it resurfaced this week after a recent Center for Investigative Reporting story about the claims.
Will Evans, a journalist with the Center for Investigative Reporting, spoke to Spandenberg for his article on the lawsuit.
“He said that it was an ongoing problem, that since so many people had this wide access, that anybody could look up anything and then the company would try to catch people afterwards,” Evans told ABC News.