Sun Sentinel Palm Beach Edition
Uber will pay $148M to settle data breach
Uber has agreed to pay $148 million to settle allegations from 50 states and the District of Columbia that the ride-hailing company violated data breach laws when it waited a year to disclose a hack affecting tens of millions of its riders and drivers.
The settlement is among the biggest in Uber’s history and marks the first time the company has settled a matter with the top law enforcement officials from all 50 states and the District of Columbia. It is the largest multi-state penalty ever levied by state authorities for a data breach.
The announcement came just as lawmakers on Wednesday were debating whether to write a national consumer privacy law, with witnesses testifying from companies such as Apple, Google and Twitter.
Uber not only waited a year to disclose the breach — which exposed names, email addresses and phone numbers of 57 million people around the world — but also paid $100,000 to the hackers to keep the incident quiet.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” California Attorney General Xavier Becerra said in a statement. “Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect that data.”
As part of the settlement, Uber will be required to make changes to its practices and to its corporate culture. Uber agreed to undergo regular third-party audits of its security practices, and to set up a program allowing employees to file concerns about ethics violations they may have witnessed on the job. It also agreed to take precautions to safeguard Uber data that may be held by third parties, according to New York’s attorney general’s office.