What to Know
- Uber has agreed to pay a record total of $148 million to resolve a multi-jurisdiction investigation into an alleged data beach
- The settlement will be divided among all 50 states — with about $3.75 million going to New Jersey and about $5.1 million going to New York
- All 50 states and DC sued Uber saying that the company violated laws notification of the data breach in a timely fashion
The ride-sharing company Uber has agreed to pay a record total of $148 million to resolve a multi-jurisdiction investigation into an alleged data beach that compromised personal information of both Uber riders and drivers and violated data breach notification laws.
The settlement will be divided among all 50 states — with about $3.75 million going to New Jersey and about $5.1 million going to New York.
The settlement reached with all 50 states and the District of Columbia, which all sued Uber saying that the company violated laws requiring it to notify people impacted by the breach in a timely fashion, requires Uber to adopt model data breach notification and data security protocols and a corporate integrity program for employees to report unethical behavior.
Additionally, the settlement requires the company to hire an independent third party to assess its data security practices.
According to court documents, in November 2016, hackers based in the United States and Canada allegedly informed security officials at Uber that they had downloaded the personal information of riders and drivers. The information stolen included names, email addresses, and mobile phone numbers as well as drivers’ license information of about 600,000 drivers nationwide, New York and New Jersey officials say.
Although the data breach occurred in 2016, it was not disclosed by Uber until a year later, in November 2017.
After providing proof of the massive data breach, the hackers allegedly demanded “six figures” to delete the data and not disclose the breach, with Uber ultimately paying the hackers $100,000 to conceal the breach, documents say.
In the spring of 2017, Uber’s Board of Directors allegedly directed a law firm to investigate Uber’s security team in the wake of unrelated litigation involving the suspected theft of trade secrets related to self-driving cars. As part of this inquiry, the law firm allegedly learned of the alleged breach and ransom payment.
“This is a significant settlement for New Jersey residents and for Uber users everywhere -- not only because the payout is historic, but because it requires that Uber adopt new policies and procedures that will more effectively safeguard the personal information of its riders and drivers in the future,” New Jersey Attorney General Gurbir Grewal said in a statement.
New York Attorney General Barbara Underwood echoed similar sentiments, saying that “New Yorkers deserve to know that their personal information will be protected.”
Underwood added that the “record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation.”
Tony West, chief legal officer for Uber, said in a statement that the decision by current managers was "the right thing to do" and "embodies the principles by which we are running our business today: transparency, integrity, and accountability."
West added that "an important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward."
