Just a few months after Uber hired a new chief security officer away from Facebook, a data leak in the company’s new app for its “driver-partners” exposed the drivers’ licenses, Social Security numbers, and other personal information of an unknown number of those same not-quite-employees.
A driver spotted the leak after he tried to upload a document through the new app, telling Motherboard he was able to see “a lot of taxi certification forms and livery drivers licenses and W-9 forms with Social Security numbers for taxi cab companies.” Uber is said to have fixed the leak after it was reported.
Uber hired Joe Sullivan as its chief security officer in April. Here’s how chief executive Travis Kalanick explained the need to fill that position in a blog post:
It’s easy to see the Uber logo on your phone and think of us as just an app. But in many ways we’ve become a critical part of the infrastructure of cities. We are both in cyberspace and on city streets all at once; a bridge between bits and atoms. And as we get into tens of millions of rides a week, we continue to challenge ourselves to do even better when it comes to safety and data security.
That was always going to be a difficult task, given the apparent ease with which Uber executives can access rider info. As I wrote when Sullivan was hired:
A job interviewee was provided with full access to the company’s location databases. An executive tracked a journalist’s ride because she was running late for a meeting. Another journalist reported that her sources had warned her that Uber executives could use some of the service’s tools to spy on her.
All of which makes Sullivan an important hire for Uber. The company gathers too much information not to have a chief security officer, and there obviously needs to be a change at the company, because the only privacy violations that have been made public were all conducted by its executives.
Setting those issues aside, there have been other concerns about Uber’s security in recent months. Information about users’ rides was mistakenly leaked into Google search results. Users were charged for fraudulent rides in China. And the company only recently fixed a bug that allowed hackers to retain control over their targets’ accounts even if the owner changed the associated password.
Now, an app meant to give drivers more access to the information Uber collects about them (with things like customer complaints, their ratings, etc.) has leaked data that could be used to steal the identities of a couple of hundred Uber drivers. Thank goodness the company screens its drivers with background checks.