Uber agrees to $148M settlement with states
CHICAGO» Uber will pay $148 million and tighten data security after the ridehailing company failed for a year to notify drivers that hackers had stolen their personal information, according to a settlement announced Wednesday.
Uber Technologies Inc. reached the agreement with all 50 states and the District of Columbia after a massive data breach in 2016. Instead of reporting it, Uber hid evidence of the theft and paid ransom to ensure the data wouldn’t be misused.
The settlement payout will be divided among the states based on the number of drivers each has. Colorado will receive $2.1 million.
“Uber concealed this data breach from its drivers for a full year, in violation of Colorado law,” said Colorado Attorney General Cynthia Coffman. “Consumers deserve a quick headsup when their information has been compromised so they can take steps to protect themselves from criminals. Instead, Uber took the law into its own hands, further disadvantaging its driv ers. This settlement sends a strong message that companies like Uber who fail to follow Colorado’s data breach notification law will face expensive consequences.”
Uber, whose GPStracked drivers pick up riders who summon them from cellphone apps, learned in November 2016 that hackers had accessed personal data, including driver’s license information, for roughly 600,000 Uber drivers in the U.S. and 12,000 in Colorado. The company acknowledged the breach in November 2017, saying it paid $100,000 in ransom for the stolen information to be destroyed.
The hack also took the names, email addresses and cellphone numbers of 57 million riders around the world. After significant management changes in the past year, Tony West, Uber’s chief legal officer, said the decision by current managers was “the right thing to do.”
“It embodies the principles by which we are running our business today: transparency, integrity, and accountability,” West said. “An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and mov
ing forward.”
The settlement requires Uber to comply with state consumer protection laws safeguarding personal information and to immediately notify authorities in case of a breach, and to establish methods to protect user data stored on thirdparty platforms and create strong passwordprotection policies. The company also will hire an outside firm to conduct an assessment of Uber’s data security and implement its recommendations.
West said the commitments in the settlement coincide with physical and digital safety improvements the company recently announced. Uber hired a longtime inhouse counsel for intel as its chief privacy officer and selected a former general counsel to the National Security Agency and director of the National Counterterrorism Center as the company’s chief trust and security officer.