Tag: Uber

Ankura CTIX FLASH Update – December 13, 2022

Malware Activity

Uber Discloses New Data Breach Related to Third-Party Vendor

Uber has disclosed a new data breach that is related to the security breach of Teqtivity, a third-party vendor that Uber uses for asset management and tracking services. A threat actor named “UberLeaks” began leaking allegedly stolen data from Uber and Uber Eats on December 10, 2022, on a hacking forum. The exposed data includes Windows domain login names and email addresses, corporate reports, IT asset management information, data destruction reports, multiple archives of apparent source code associated with mobile device management (MDM) platforms, and more. One document in particular contained over 77,000 Uber employee email addresses and Windows Active Directory information. UberLeaks posted the alleged stolen information in four (4) separate postings regarding Uber MDM, Uber Eats MDM, Teqtivity MDM, and TripActions MDM platforms. The actor included one (1) member of the Lapsus$ threat group in each post, but Uber confirmed that Lapsus$ is not related to this December breach despite being previously linked to the company’s cyberattack in September 2022. Uber confirmed that this breach is not related to the security incident that took place in September and that the code identified is not owned by Uber. Teqtivity published a data breach notification on December 12, 2022, that stated the company is aware of “customer data that was compromised due to unauthorized access to our systems by a malicious third party” and that the third-party obtained access to its AWS backup server that housed company code and data files. Teqtivity also noted that its ongoing investigation identified the following exposed information: first name, last name, work email address, work location details, device serial number, device make, device model, and technical specs. The company confirmed that home address, banking information, and government identification numbers are not collected or retained. Uber and Teqtivity are both in the midst of ongoing investigations into this data breach. CTIX analysts will provide updates on the matter once available.

Threat Actor Activity

PLAY Ransomware Claims Responsibility for Antwerp Cyberattack

After last week’s ransomware attack on the city of Antwerp, a threat organization has claimed responsibility and has begun making demands. The threat group, tracked as PLAY ransomware, is an up-and-coming ransomware operation that has been posting leaked information since November 2022, according to an available posting on their leak site. Samples of the threat group’s ransomware variants have shown activity dating back to June 2022, which is around the time PLAY ransomware targeted the Argentina Court of Cordoba (August). While PLAY’s ransomware attack crippled several sectors of Antwerp, it appears to have had a significant impact on residential facilities throughout the city, as stated by officials. According to PLAY NEWS, PLAY’s ransomware leak site, the publication date for the exfiltrated data is Monday, December 19, 2022, if the undisclosed ransom is not paid. PLAY threat actors claim to have 557 gigabytes (GB) worth of Antwerp-related data including but not limited to personal identifiable information, passports, identification cards, and financial documents. CTIX continues to monitor the developing situation and will provide additional updates as more information is released.

Vulnerabilities

Fortinet Patches Critical RCE Vulnerability in FortiOS SSL-VPN Products

After observing active exploitation attempts in-the-wild, the network security solutions manufacturer Fortinet has patched a critical vulnerability affecting their FortiOS SSL-VPN products. The flaw, tracked as CVE-2022-42475, was given a CVSS score of 9.3/10 and is a heap-based buffer overflow, which could allow unauthenticated attackers to perform arbitrary remote code execution (RCE) if successfully exploited. Specifically, the vulnerability exists within the FortiOS sslvpnd product, which enables individual users to safely access an organization’s network, client-server applications, and internal network utilities and directories without the need for specialized software. The vulnerability was first discovered by researchers from the French cybersecurity firm Olympe Cyberdefense who warned users to monitor their logs for suspicious activity until a patch was released. Although very few technical details about the exploitation have been divulged, Fortinet did share lists of suspicious artifacts and IPs. Based on research by Ankura CTIX analysts, the IPs released by Fortinet are located around the globe and are not associated with known threat actors at this time. To prevent exploitation, all Fortinet administrators leveraging FortiOS sslvpnd should ensure that they download and install the latest patch. If organizations cannot immediately patch their systems due to the business interruption it would cause, Olympe Cyberdefense suggests “customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.” A list of the affected products and their solutions, as well as the indicators of compromise can be found in the Fortinet advisory linked below.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. 

Article By Ankura Cyber Threat Investigations and Expert Services

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

Former Uber Security Chief Found Guilty in Criminal Trial for Failure to Disclose Breach to FTC

On October 5, 2022, former Uber security chief Joe Sullivan was found guilty by a jury in U.S. federal court for his alleged failure to disclose a breach of Uber customer and driver data to the FTC in the midst of an ongoing FTC investigation into the company. Sullivan was charged with one count of obstructing an FTC investigation and one count of misprision, the act of concealing a felony from authorities.

The government alleged that in 2016, in the midst of an ongoing FTC investigation into Uber for a 2014 data breach, Sullivan learned of a new breach that affected the personal information of more than 57 million Uber customers and drivers. The hackers allegedly demanded a ransom of at least $100,000 from Uber. Instead of reporting the new breach to the FTC, Sullivan and his team allegedly paid the ransom and had the hackers sign a nondisclosure agreement. Sullivan also allegedly did not report the breach to Uber’s General Counsel.  Uber did not publicly disclose the incident or inform the FTC of the incident until 2017, when Uber’s new chief executive, Dara Khosrowshahi, joined the company.

This case is significant because it represents the first time a company executive has faced criminal prosecution related to the handling of a data breach.

For more Privacy Law news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Driven To The Edge: Saga Of Uber And Lyft Litigation Continues As Court Of Appeal Affirms Order Forcing Driver Reclassification

On Thursday, October 22, 2020, the California Court of Appeal denied Uber and Lyft’s request to overturn a recent California Superior Court’s preliminary injunction ordering the companies to reclassify their drivers as employees, rather than independent contractors. With the appeal garnering Amicus Curiae briefs from more than 50 different organizations—ranging from the U.S. Chamber of Commerce to Mothers Against Drunk Driving—the decision marks the most recent entry in the highly watched ongoing litigation against the companies over their compliance with A.B. 5. With California’s upcoming vote on Proposition 22, however, many are left wondering what, if any, impact the denial might have on Uber, Lyft, or the gig economy as a whole.

The litigation involves a recent complaint filed by the California Labor Commissioner alleging, in relevant part, that Uber and Lyft violated California’s recently enacted legislation, A.B. 5, by classifying their app-based drivers as independent contractors, rather than employees. Under A.B. 5, companies are required to classify their workers as employees unless the companies can show:

  • The workers are generally free from the company’s direction and control over how they perform their work;
  • The workers are not engaged in the type of work the company usually engages in in its regular course of business; and
  • The workers are engaged in an established trade or professions separate and apart from the company itself.

Whether or not Uber and Lyft’s app-based drivers satisfy this test has been a hotly debated point of dispute. For Uber and Lyft, however, the consequences of being found to not pass this test are potentially dire, as an adverse decision on this point would force the companies to restructure their entire business model by changing the classification of their app-based drivers from independent contractors to employees.

The appeal was motivated by a California Superior Court’s recent decision to issue a preliminary injunction that ordered Uber and Lyft to begin this reclassification process, even prior to the suit’s resolution—a decision signaling that the Superior Court believed the companies to be fighting an uphill battle they would ultimately loose. In light of the order, Uber and Lyft promptly appealed the decision, citing in relevant part, the grave harm that the order would cause by necessitating “substantial changes to…organizational structure, hiring processes, software tools and management systems, and company culture.” To adapt to these forced changes, the companies explained that they would likely need to “reduce the number of drivers” allowed to use the platform, “control the drivers’ time…by having them work scheduled shifts,” and “prohibit drivers…from unilaterally rejecting or cancelling rides.” Unfortunately, Uber and Lyft’s arguments ultimately fell on deaf ears, as the Court of Appeal affirmed the lower court’s ruling forcing the companies to reclassify their app-based drivers—although the order isn’t set to take effect for at least 30 days.

Proposition 22 could save Uber and Lyft from this fate long before those 30 or so days are up. Currently set for the November 3rd ballot, Proposition 22, would exempt certain gig-economy companies, like Uber and Lyft, from the strictures of A.B. 5 while simultaneously allowing for a new middle ground between independent contractor and employee classification. The ballot initiative would do this: (a) allowing app-based drivers to maintain their traditional independent contractor status; while also (b) providing them with new and added benefits not previously available to independent contractors—a compromise that could inhere to the benefit of both parties.

If successful, Proposition 22 could stop the California Labor Commissioner’s suit in its tracks. As a result, only time will tell if the recent Court of Appeal ruling will ultimately have any impact on Lyft, Uber, or the gig economy generally.

©2020 Greenberg Traurig, LLP. All rights reserved.
For more articles on Uber & Lyft, visit the National Law Review Corporate & Business Organizations section.

Thieves Breach Twitter Security to Commandeer Famous Accounts

The Twitter accounts of major companies and individuals were briefly taken over as part of a bitcoin scam. Former and current heads of states, global corporations, and presidential candidates had their twitter accounts compromised. The tweet from many of the twitter account said similar things, for example Kanye West’s feed stated that he is “giving back to my fans”; the message from Bezos’, Barack Obama, and Joe Biden’s account said that they had “decided to give back to my community”; while Elon Musk’s account said “feeling greatful” and provided a link to a Bitcoin wallet to send money to. The tweets would indicate that they would send double the money back to a limited number of contributors.

Twitter, through its Twitter Support account notified users that an internal investigation was conducted into the matter. The investigation revealed that several employees who had access to internal systems had their accounts compromised in a “coordinated social engineering attack.” Twitter’s internal system was then exploited to tweet from high-profile accounts. The attack was at least moderately successful considering the Bitcoin wallets promoted in the tweets received over 300 transactions and Bitcoin worth over $100,000.

These tweets began at about 4 P.M. (Eastern Standard Time) on Wednesday, July 16. The first wave of attacks hit the Twitter accounts of prominent cryptocurrency leaders and companies, but expanded quickly after that. Along with Vice President Biden, President Obama, Kanye West, Bill Gates, Michael Bloomberg, and Elon Musk, large company accounts were also targeted including Uber and Apple. Twitter’s initial response was to take down the offending tweets, but those were quickly replaced by new ones – – an indication that the hackers maintained access to the individual accounts.

The persistence of the attacks led to Twitter disabling some the platform services including the ability of blue-checked (verified) twitter users to tweet. The services were restored around four and a half hours after the suspicious tweets began. However, that shutdown period was not insignificant. Several National Weather Service Twitter accounts were shut down as a line of severe weather and possible tornadoes moved across the Midwest. The National Weather Service felt severely hampered in its ability to communicate with people about the impending storm.

In a tweet, Twitter’s CEO Jack Dorsey said that the company feels  “terrible this happened” and that they are “diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.” The nature of this attack is yet to be determined. The legal implications will hinge on the findings of the investigation, including whether there were sensitive direct messages accessed by the attackers. Considering the compromised accounts includes current and former heads of state (Prime Minister Benjamin Netanyahu, President Obama, and Vice President Biden), there are also questions of national security involved.

The United States does not have a comprehensive federal data breach notification scheme. These obligations are provided by the fifty states and sector-specific laws. More than 40 of the state breach notification laws contain a harm threshold pursuant to which notification is not required unless harm to affected individuals has occurred or is reasonably likely to occur. The EU’s GDPR also includes a similar assessment. As more information is disclosed, we will get a better understanding of Twitter and the attacked users’ incident response processes.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

Federal Court Issues Eleventh-Hour TRO to Enjoin Enforcement of California’s Controversial New Independent Contractor Law for 70,000 Independent Truckers

On January 1, 2020, California’s new independent contractor statute, known as AB 5, went into effect.  The law codifies the use of an “ABC” test to determine if an individual may be classified as an independent contractor.

The hastily passed and controversial statute has been challenged by a number of groups as being unconstitutional and/or preempted by federal law, including ride-share and delivery companies and freelance writers.

Just hours before AB 5 went into effect, a California federal court in San Diego enjoined enforcement of the statute as to some individuals – approximately 70,000 independent truckers, many of whom have invested substantial sums of money to purchase their own trucks and to work as “owner-operators.”

In the lawsuit, the California Trucking Association (“CTA”) has alleged that the “ABC” test set forth in AB 5 is preempted by the Federal Aviation Administration Authorization Act of 1994 (“FAAAA”).

The CTA asserts that the FAAA preempts the “B” prong because it will effectively operate as a de facto prohibition on motor carriers contracting with independent owner-operators, and will therefore directly impact motor carriers’ services, routes, and prices, in contravention of the FAAA’s preemption provision.

The CTA further contends that the test imposes an impermissible burden on interstate commerce, in violation of the Commerce Clause of the U.S. Constitution.  The CTA asserts that the test would deprive motor carriers of the right to engage in the interstate transportation of property free of unreasonable burdens, as motor carriers would be precluded from contracting with a single owner-operator to transport an interstate load that originates or terminates in California.  Instead, motor carriers would be forced to hire an employee driver to perform the leg of the trip that takes place in California.

©2020 Epstein Becker & Green, P.C. All rights reserved.

Court to Consider Whether California Ride Share Drivers Who Make Airport Runs Are Exempt from the Federal Arbitration Act

On November 26, 2019, San Francisco Superior Court Judge Richard B. Ulmer ruled that the Federal Arbitration Act (“FAA”) might not apply to Uber drivers who are engaged in interstate commerce while driving passengers to or from international airports.

In his claims before the Division of Labor Standards and Enforcement (“DLSE”), driver Sangam Patel (“Patel”) seeks recovery of unpaid wages, overtime pay, vacation pay, meal and rest break premiums, and unpaid business expenses allegedly owed by Uber. Uber petitioned to compel arbitration of Patel’s (“Patel”) claims under the FAA.

The Labor Code provides a right to bring an action to collect wages notwithstanding the existence of an arbitration agreement. Cal. Lab. Code § 229. If the FAA applies, a written arbitration agreement “shall be valid, irrevocable, and enforceable, save upon such grounds as exist at law or in equity for the revocation of any contract.” 9 U.S.C. § 2. The FAA applies to any “contract evidencing a transaction involving commerce” that contains an arbitration provision. Id. The FAA does not apply, however, to “contracts of…workers engaged in foreign or interstate commerce.” Id., at § 1.

Notably, there is a distinction between the term “involving” for purposes of section 2 and the term “engaged in” for purposes of section 1.

As the California Court of Appeal explained earlier this year in Muller v. Roy Miller Freight Lines, LLC (2019) 34 Cal.App.5th 1056, 1062, “the [United States] Supreme Court reasoned the plain meaning of ‘engaged in’ interstate commerce in section 1 is narrower in scope than the open-ended phrase ‘involving’ commerce in section 2. Unlike section 2’s reference to ‘involving commerce,’ which ‘indicates Congress’ intent to regulate to the outer limits of its authority under the Commerce Clause’ and thus is afforded an ‘expansive reading,’ section 1’s reference to ‘engaged in commerce’ is ‘narrower,’ and therefore ‘understood to have a more limited reach,’ requiring ‘a narrow construction’ and a ‘precise reading.’” (Internal citations omitted.)

Uber argued that the FAA applies to its arbitration provision because it involves commerce as the Uber app is available to riders and transportation providers in over 175 cities across the United States. Relying on precedent that stands for the proposition that workers need only engage in activities that affect interstate commerce to be considered “engaged in interstate commerce,” the Labor Commissioner argued that Uber drivers such as Patel engage in interstate commerce when they transport passengers to and from international airports, thus rendering the FAA inapplicable.

The argument is similar to that raised Singh v. Uber Techs. Inc. earlier this year, where the U.S. Court of Appeals for the Third Circuit rejected Uber’s argument that a group of New Jersey drivers suing for unpaid overtime wages were required to arbitrate their claims. The Singh Court found that transportation workers who transport passengers may be exempt from the FAA if they are engaged in interstate commerce. Singh claimed that he frequently transported passengers on the highway across state lines, between New York and New Jersey. In light of the factual dispute as to whether Uber drivers engaged in interstate commerce, the Third Circuit sent the case back to the district court to decide, after discovery on the issue, whether Singh and the proposed class of Uber drivers engaged in interstate commerce. If they did, the FAA would not apply.

Consistent with the Third Circuit in Singh, Judge Ulmer granted the Commissioner’s request for limited discovery on the issue of whether Uber drivers engage in interstate commerce. Following that discovery, Uber may then re-calendar its petition for hearing.

The case bears watching as it may provide employees in some industries with arguments to try to circumvent the otherwise enforceable arbitration agreements that they signed with their employers. Ultimately, if Uber drivers are found to be engaged in interstate commerce such that the FAA is inapplicable, the FAA would not preempt their right to file suit under Labor Code section 229 notwithstanding any private agreement to arbitrate. But section 229 only applies to actions to collect due and unpaid wages. Any other claims – such as claims for missed meal or rest periods, failure to reimburse business expenses, or failure to provide accurate wage statements – would not be covered and, thus, should still be subject to a valid and enforceable arbitration agreement. It will be interesting to see if and how that issue is addressed.

©2019 Epstein Becker & Green, P.C. All rights reserved.

More on the Federal Arbitration Act can be found on the National Law Review ADR, Arbitration and Mediation law page.

Not So Fast And Furious – Executive Indicted for Stealing Self-Driving Car Trade Secrets

Back in March, 2017, we posted about a civil lawsuit against Anthony Levandowski, who allegedly sped off with a trove of trade secrets after resigning from Waymo LLC, Google’s self-driving technology company. Waymo not only sued Levandowski, but also his new employer, Uber, and another co-conspirator, Lior Ron. Since our initial post, things have gotten progressively worse for the Not So Fast and Furious trio: (1) Levandowski was fired in May, 2017; (2) Uber settled, giving up 5% of its stock, which totaled $245 million dollar;  and (3) the case against Levandowski and Ron was sent to arbitration, where the arbitration panel reportedly issued a $128 million interim award to Waymo.

Just when things couldn’t seem to get any worse, they did.

On August 15, 2019, a federal grand jury indicted Levandowski on 33 counts relating to trade secret theft. Levandowski has pled not guilty, has been released on $2 million dollars bail, and  is currently wearing an ankle monitor.

This legal saga is a reminder that trade secret theft is serious… it not only has civil consequences, but also criminal ones.  Unfortunately, trade secret theft happens every day.  And regardless of whether your company has trade secrets regarding self-driving car technology, worth hundreds of millions of dollars, or customer information worth less than a hundred thousand dollars, it’s important to make sure your company’s information is protected.

Equally important is knowing how to investigate potential trade secret theft. Some helpful tips as you launch your investigation:

1. Secure and preserve all relevant computing devices and email/file-sharing accounts.

2. Consider enlisting the help of outside computer forensic experts.

3. Analyze the employee’s computing activities on company computers and accounts.

4. Determine whether there is any abnormal file access, including during non-business hours.

5. Examine the employee’s use of external storage devices and whether those devices have been returned.

6. Review text message and call history from the employee’s company issued cell phone (and never instruct anyone to factory reset cell phones).

7. Enlist the help of outside counsel to set the parameters of the investigation.

© 2019 Jones Walker LLP
For more on trade secret law, see the National Law Review Intellectual Property law page.

Ubers of the Future will Monitor Your Vital Signs

Uber has announced that it is considering developing self-driving cars that monitor passengers’ vital signs by asking the passengers how they feel during the ride, in order to provide a stress-free and satisfying trip. This concept was outlined in a patent filed by the company in July 2019. Uber envisions passengers connecting their own health-monitoring devices (e.g., smart watches, activity trackers, heart monitors, etc.) to the vehicle to measure the passenger’s reactions. The vehicle would then synthesize the information, along with other measurements that are taken by the car itself (e.g., thermometers, vehicle speed sensors, driving logs, infrared cameras, microphones, etc.). This type of biometric monitoring could potentially allow the vehicle to assess whether it might be going too fast, getting too close to another vehicle on the road, or applying the brakes too hard.  The goal is to use artificial intelligence to create a more ‘satisfying’ experience for the riders in the autonomous vehicle.

This proposed technology presents yet another way that ride-sharing companies such as Uber can collect more data from their passengers. Of course, passengers would have the choice about whether to use this feature, but this is another consideration for passengers in this data-driven industry.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

For more about self-driving cars, see the National Law Review Communications, Media & Internet law page.

Are Uber Drivers Employees?

With the advent of ridesharing services, there is an extremely large number of drivers for those companies out on the roads. But are drivers for Uber and similar companies “employees”? Over the years these companies have taken the position the drivers are not employees but rather independent contractors. The Office for the General Counsel of the National Labor Relations Board (NLRB) recently weighed in on this issue, and he agrees with Uber.

In a recently released advice memo, the board concluded that Uber drivers are independent contractors under the National Labor Relations Act (NLRA). When analyzing the relationship between Uber and its drivers, the memo states that it needed to primarily evaluate: “(1) the extent of the company’s control over the manner and means by which drivers conduct business and (2) the relationship between the company’s compensation and the amount of fares collected.” Looking at those factors, the board held:

“Consideration of all the common-law factors, viewed through the ‘prism of entrepreneurial opportunity,’ establishes that UberX drivers were independent contractors. The drivers had significant entrepreneurial opportunity by virtue of their near complete control of their cars and work schedules, together with freedom to choose log-in locations and to work for competitors of Uber. On any given day, at any free moment, drivers could decide how best to serve their economic objectives: by fulfilling ride requests through the App, working for a competing ride-share service, or pursuing a different venture altogether. As explained in detail below, these and other facts strongly support independent-contractor status and outweigh all countervailing facts supporting employee status.”

The memo arrived at the same conclusion for UberBLACK drivers – another category of driver – based on the same analysis. The NLRB’s newly restored test for evaluating independent status was cited extensively.

Independent contractor status poses significant consequences under the NLRA because such workers are not covered under the act. This means they cannot form unions or seek redress for any alleged violations of the NLRA. However, employers must take care to ensure they do not misclassify workers as independent contractors because that can pose significant legal risk. This new advice memo sets forth a potential roadmap for companies desiring to use an independent contractor model, at least when it comes to the NLRA.

 

© 2019 BARNES & THORNBURG LLP
This post was written by David J. Pryzbylski of Barnes & Thornburg LLP.
Read more about employee classification on the National Law Review’s Labor and Employment page.

Uber Hack – Don’t Tell Anyone!

It’s been revealed that Uber’s database has been hacked, with the personal information of more than 57 million users and drivers worldwide compromised. That’s a big number, but we are becoming increasingly numb to this kind of revelation, with all the cyber-leaks now making the news. What was the more astounding aspect of this particular incident is the fact it has taken Uber over a year to reveal the security breach – with the attack taking place in October 2016.

Uber says that the hackers were able to download files containing information including the names and driver’s licence numbers of 600,000 drivers in the US, as well as the names, email addresses and phone numbers of millions of users worldwide.

Although Uber has now taken steps to notify the drivers affected by the hack, it’s reported that at the time of the breach, the company paid the hackers USD100,000 to delete the stolen data, and not reveal the breach.

In a statement, Uber CEO Dara Khosrowshani admitted that he became aware of the “inappropriate access [of] user data stored on a third-party cloud-based service” late last year, and that steps were taken to secure the data, and shut down further unauthorised access. However, Mr Khosrowshani noted he has no excuse as to why the massive breach is only being made public now.

For their roles in the cover-up, Uber chief security officer Joe Sullivan and his deputy have been ousted, while Uber says it’s taking “several actions”, including consulting the former general counsel of the US’ National Security Agency to prevent a future data breach.

This post was written by Cameron Abbott & Allison Wallace of K & L Gates.,Copyright 2017
For more legal analysis, go to The National Law Review