Uber settled charges Wednesday it concealed a 2016 data breach in violation of notification laws. The settlement, which was reached with 50 states and the District of Columbia, requires Uber to adopt data breach notification and data security practices and have its data security reviewed by an outside company. Uber also is required to pay a record $148 million penalties.
“New Yorkers deserve to know that their personal information will be protected – period,” said New York Attorney General Barbara D. Underwood. “This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation.”
In November 2016, hackers based in the United States and Canada secretly informed security officials at Uber that they’d downloaded the personal information of 57 million riders and drivers, 25 million in the United States and 7.7 million drivers. The information stolen included names, email addresses, and mobile phone numbers; drivers’ license information on about 600,000 drivers nationwide were also stolen. After providing proof of the massive data breach, the hackers demanded “six figures” to delete the data and not disclose the breach. Uber paid the hackers $100,000 to conceal the breach.
In the spring of 2017, Uber’s board of directors directed a law firm to investigate Uber’s security team due to an unrelated lawsuit on the alleged theft of trade secrets for self-driving cars. As part of the inquiry, the law firm learned of the breach and ransom payment. Then the board hired a forensic firm to investigate the breach. Uber provided notice of the breach in late November 2017, a year after it occurred.
