Uber to pay record $148 million over 2016 data breach
Uber will pay $148 million to settle an investigation into a 2016 data breach that the company was accused of intentionally concealing.
The settlement with attorneys general for all 50 states and Washington, DC, will be split among the states. It’s the largest ever multi-state data breach settlement, according to the New York attorney general.
The investigation was called to look into allegations that the ride-share company violated state-level notification laws by intentionally withholding that hackers stole the personal information of 57 million users in 2016.
The breach wasn’t disclosed until late 2017, when Uber revealed that it paid the hackers $100,000 to destroy the data. In April, Uber settled a case with the Federal Trade Commission, which was investigating claims that Uber deceived customers over this breach.
As part of the settlement, Uber has agreed to develop and implement a corporate integrity program for employees to report unethical behavior. It also agreed to adopt model data breach notification and data security practices, as well as hire an independent third party to assess its data security practices.
“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” said New York attorney general Barbara D. Underwood said in a press release. New York will get about $5.1 million of the payout.
“Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability,” said Uber chief legal officer Tony West in a blog post on Wednesday. “We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”
The settlement comes as Uber attempts to clean up its practices. In July, for example, Uber finally hired a chief privacy officer: Ruby Zefo, became Uber’s top executive focused on privacy. Matt Olsen also joined as chief trust and security officer.