Ride-sharing giant Uber is caught in the headlights this week after an explosive lawsuit that alleges thousands of employees abused the service's lax security to secretly track customers — including celebrities, famous politicians, and ex-spouses.
The lawsuit, filed by a former employee in October, alleges the $70-billion company allowed unauthorized access to private information on its 40 million customers.
“[We’re] allowing ourselves to be tracked," said whistleblower Ward Spangenberg, Uber’s former head of information security compliance, in an exclusive television interview with NBC News. "I want people to be conscious of the fact that we are giving away our information.”
In the lawsuit, Spangenberg alleges that between March 2015 and February 2016, Uber employees were "able to track high-profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses."
VIP Access
Court documents describe how Uber failed to seal access to its own VIP files, known as the “MVP” list, which included stars such as Beyoncé as well as several high-profile senators and congressmen and congresswomen, according to Spangenberg and his lawyer, Barbara Figari.
Founded in San Francisco in 2009, Uber disrupted the transportation industry to become a global phenomenon: a $70 billion behemoth operating in almost 70 countries.
But Spangenberg believes the company's breakneck growth has sacrificed user privacy.
He claims that when he raised red flags over security, Uber management said, “Hey, great, thanks. We’ll take it under advisement. Now go solve other problems.”
According to court documents, Spangenberg was fired after working at Uber for just 11 months. He says he was asked to leave for raising these privacy issues.
But Uber Chief Security Officer Joe Sullivan told NBC News he personally fired Spangenberg for violating the employee code of conduct.
“I made the decision that we had to terminate his employment because I saw evidence that he had inappropriately accessed data,” Sullivan said, a charge that Spangenberg denies.
State-of-the-Art Security
Uber categorically denies that a “majority” of employees have access to customers’ personal information within the company.
"We take people's information [and] the trust that people put in us very seriously,” Uber Chief Security Officer Joe Sullivan told NBC News in an exclusive interview. "We’re committed to living up to their expectations."
Sullivan told NBC News that Uber has "invested heavily in building out a strong information security program," and has hired “over 200 people” to invest in “state-of-the-art technology to make Uber a service that people can trust.”
"I won't tolerate data access abuse at Uber and I've helped build out systems that will detect abuse if it happens and, as happened in this case, when we detect that abuse we'll terminate the employee,” Sullivan added.
Ultimately, security experts say that being actively aware of what kind of data is given up in mobile applications is key to maintaining personal privacy.
"You have to make a decision as to whether or not you're going to continue to trust that organization," said Robert Siciliano, privacy expert with Hotspot Shield and CEO of IDTheftSecurity.com. "Some users might just start using other services instead of using a service that has been tainted by insider potential invasions of privacy."
