Uber’s Database Could Be Tempting for Hackers

Uber knows where its users go, how often they go there, who else goes there, and more.

Photo by Adam Berry/Getty Images

Uber hasn’t looked so hot on privacy lately. Between senior executive Emil Michael suggesting at a private dinner that Uber dig up dirt on journalists, and the revelation that general manager Josh Mohrer had been disciplined by the company for privacy violations against users, November was a rough month.

But before it all blows over, the Washington Post wants to point out one more thing: Uber’s database of user ride data is expansive, valuable, and will probably be targeted by hackers at some point, if it hasn’t been already. Uber has travel data tracked by account. It knows where people go, when they show up, and maybe even how long they’re there.

An intelligence agency, private investigator, criminal, or anyone else who might be interested in people’s movements could have reason to hack into Uber’s database. And everything would be laid out on a silver platter for them via Uber’s “God View” tool. As the Post puts it, if such a situation existed (which it apparently does), “Wouldn’t that strike you as a hacking opportunity of remarkable awesomeness?”

And there are reports that employees even let outsiders have access to the data. One anonymous source who interviewed for a job at Uber in 2013 told the Post that he or she was allowed to play around with Uber’s data and tools for hours after the interview itself. Responding generally, Uber said in a statement, “Our data privacy policy applies to all employees: access to and use of data is permitted only for legitimate business purposes. Data security specialists monitor and audit that access on an ongoing basis.”

On Hacker News, commenters have been debating the validity of the permissions the Uber app asks for on Android. Some say that “there’s perfectly reasonable explanation for almost all of these permissions,” which seem to include requests for access to things like a user’s battery status and phone call details. But other commenters are less positive: “Uber’s Android app is literally malware,” one writes.

Given all of the huge corporate data breaches that have happened in 2014, it seems reasonable to worry that a startup sitting on data gold could be targeted at some point. If your whereabouts might matter to someone, think carefully about using Uber.