Pa. Uber drivers to get $100 for breach
$148M settlement affects 13,500 in state
Uber has agreed to pay $148 million and improve its corporate practices in a nationwide settlement over allegations that the ride hailing czar illegally concealed a massive 2016 data breach.
Pennsylvania’s share is $5.7 million, with approximately $1.35 million going to Uber drivers in the state who had their personal data stolen, Attorney General Josh Shapiro announced Wednesday.
In November 2016, Uber learned that hackers had accessed some personal information the company maintains on drivers, including driver’s license numbers. Instead of reporting the incident, Uber concealed it until November 2017, after paying $100,000 in ransom for the stolen data to be destroyed.
Uber “actually paid the hackers to delete the data and keep quiet,” Mr. Shapiro said. “This is outrageous corporate misconduct, and today’s settlement holds them accountable.”
Roughly 13,500 affected Uber drivers in Pennsylvania will each receive $100, Mr. Shapiro said. A settlement administrator will be hired to notify and pay them.
Overall, about 600,000 drivers nationwide were affected.
As part of the settlement, Uber agreed to a number of reforms, including implementing stricter password policies for its employees to gain access to the Uber network, developing an overall data security policy for data the company collects about its users, and hiring an outside party to assess its data security efforts regularly and make recommended improvements.
“We know that earning the trust of our customers and the regulators we work with globally is no easy feat,” Uber’s chief legal officer, Tony West, said in a statement.
“We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”
Mr. Shapiro sued Uber in March for violating the state’s breach notification law, which requires timely notice of a data breach. The state’s case against Uber was settled as part of the national settlement announced Wednesday covering 50 states and the District of Columbia.
The 2016 breach also affected some 57 million Uber riders worldwide. But in that instance, the company has said the hackers stole names, email addresses and phone numbers — not personal information such as driver’s license, credit card and Social Security numbers.
Mr. Shapiro is advising Uber drivers who believe they were impacted by the breach to monitor their credit reports for fraudulent activity.