Uber will pay $148 million to settle an investigation into a massive 2016 data breach that the ride-hailing company allegedly covered up by paying off the hackers.
The nationwide settlement, led by California, is the largest-ever multi-state data breach settlement. The settlement funds will be divided equally among all 50 states and the District of Columbia.
The data breach exposed the names, email addresses, phone numbers, and other personal information of 57 million Uber users, but the company did not disclose the hack until late 2017.
Uber managed to keep the data breach out of public view until late 2017, when it admitted that it paid two hackers $100,000 to destroy the data they stole.
Uber revealed the hackers “accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company,” according to Bloomberg. “From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money …”
Uber also agreed to take a number of other measures, including boosting its cybersecurity practices; comply with state laws governing data collection, maintenance, and storage; as well as reporting requirements for security incidents. Additionally, Uber must report data security issues on a quarterly basis over a two-year period.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” California Attorney General Xavier Becerra said in a statement. “The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data.”