Uber Rides Can Expose Key Company Data, Appthority Says

Cybersecurity persistent threats

Businesses may want to limit their employees’ use of Uber’s ride-hailing service to protect secrets such as merger discussions and the medical conditions of key executives, a Bay Area mobile cybersecurity firm says.

In a review of Uber’s privacy and security measures, Appthority found that the newer version of Uber’s app is expanding its collection of personal user data to include calendar entries; meeting schedules; camera inputs; text messages; and contact information for colleagues and others.

Uber is also sharing some of that information with hundreds of other apps, as it builds out its app as a home base within which riders can call up other mobile services, such as restaurant finders for their destination neighborhoods, Appthority says.

At the same time, the ride-hailing giant isn’t ensuring that the apps it links with are following its recommended privacy and encryption policies, the security firm says.

By tapping into the data gleaned by Uber, observers could detect activity hinting at an upcoming business deal, such as C-level executives visiting the address of a merger target, according to Appthority, which specializes in mobile security for companies. In another scenario, an outsider might figure out from the clinic address in a calendar entry that a top company executive has been diagnosed with cancer—a possibility that could move stock prices.

Hackers who merely know the topic of a conference and the names of a few attendees could send simulated e-mails from those people to their colleagues, and trick them into opening an attachment containing malware, Appthority’s co-founder and president Domingo Guerra says.

Information related to medical treatment is now passing through Uber’s network due to its integrations with two apps, Relatient and Medstar, which remind patients about their doctor’s appointments, Appthority says. Uber is also offering businesses a service that allows employees to claim travel expenses through their personal accounts.

Appthority advises companies that find the risks of using Uber too great to blacklist the app for all or some users. Those who are allowed to continue to use it can protect themselves and their employers by turning off the location services in Uber’s app. Users would then need to type in the address where they want to be picked up.

Author: Bernadette Tansey

Bernadette Tansey is a former editor of Xconomy San Francisco. She has covered information technology, biotechnology, business, law, environment, and government as a Bay area journalist. She has written about edtech, mobile apps, social media startups, and life sciences companies for Xconomy, and tracked the adoption of Web tools by small businesses for CNBC. She was a biotechnology reporter for the business section of the San Francisco Chronicle, where she also wrote about software developers and early commercial companies in nanotechnology and synthetic biology.