Banner

Uber and Unroll.me: How They Secretly Collected Data

A recent New York Times article about Uber shared some damaging revelations about the company’s CEO, Travis Kalanick, and how Uber leveraged data from an app called Unroll.me:

“They spent much of their energy one-upping rivals like Lyft. Uber devoted teams to so-called competitive intelligence, purchasing data from an analytics service called Slice Intelligence. Using an email digest service it owns named Unroll.me, Slice collected its customers’ emailed Lyft receipts from their inboxes and sold the anonymized data to Uber. Uber used the data as a proxy for the health of Lyft’s business.”

Unroll.me is a third party app that helps you unsubscribe from email subscriptions in order to reduce the size of your inbox. Sounds like a useful and legit productivity app, right? But unfortunately Unroll.me has been selling your data to whoever wanted it and without concern for how the data would be used. The app gains access to your Google account thru OAuth, which you granted when you installed the app on your phone or tablet.

In today’s cut-throat business environment, It’s certainly understandable that competing companies might want to acquire the other’s confidential corporate information, and might even use a service like Unroll.me to gain access to employee emails and information. While this type of security threat is new, it is already effective at exposing corporate vulnerabilities and secrets.

To proactively defend against these dangerous security risks, companies should add a Cloud Access Security Broker (CASB) solution to their technology stack. It’s important to select a CASB that automatically looks for all apps that users have granted permission to using corporate credentials so IT managers can take proactive steps, including revoking access or contacting the user to understand the reason for granting permission. By adding a CASB, companies can protect themselves against the risks of cloud data being covertly mined and sold.

ManagedMethods’ CASB product, Cloud Access Monitor provides you with detailed information on which employees have granted access to which third party apps and which security scopes were granted. Once you have this information, Cloud Access Monitor allows you to revoke those permissions and prevent this threat in the future.

As you can see here, Cloud Access Monitor provides a list of all apps that have been granted access by your employees and the number of scopes:

If we dig deeper, we see that Unroll.me has access to reading the employee’s emails.

Once we can see which employees have granted access to Unroll.me, we can revoke that access

As threats like the Uber and Unroll.me scenario become more prevalent, companies need to defend themselves before the worst happens. Cloud Access Monitor allows you to proactively protect your employees from exposing corporate data through third-party apps to competitors or hackers with malicious intent.

Learn more about gaining visibility into your company’s cloud application usage in our white paper, Bring Visibility and Control to SaaS Applications: Cloud Security Made Easy

Category
SaaS Security