Uber will pay $148 million to settle claims over a 2016 data breach in which hackers gained access to the personal information of 57 million users, including 600,000 of the company’s drivers. The ride-hailing company hid the incident from the public for nearly a year.
The breach occurred in late 2016, but rather than reporting the data theft, Uber paid the hackers $100,000. The money came from Uber’s “bug bounty” program, which normally pays hackers for discovering and reporting flaws in Uber’s software. The hackers were persuaded to delete data they had downloaded and signed nondisclosure agreements.
Uber CEO Dara Khosrowshahi revealed the data breach in November 2017, calling it a “failure” and firing the two employees who had signed off on the payment. The payment to the hackers occurred under previous CEO Travis Kalanick, who resigned in June 2017 amid a torrent of scandals. Khosrowshahi joined Uber as CEO from Expedia in September of that year.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” California Attorney General Xavier Becerra said in a statement. “The company failed to safeguard user data and notify authorities when it was exposed.”
Attorneys general from all 50 states and the District of Columbia filed a lawsuit over the data breach. The fine paid by Uber will be divided equally among the states and D.C. The settlement also requires Uber to adopt more robust data security practices and to report any incidents to states on a quarterly basis for two years.
Tony West, Uber’s chief legal officer, told the New York Times that the settlement was part of a larger effort to rebuild Uber’s image. He noted that the company recently hired a new chief privacy officer and chief trust and security officer. The previous occupant of the latter role, Joe Sullivan, was one of the employees fired over the handling of the data breach.
The Federal Trade Commission settled its own investigation into the data breach in April. It had already required Uber to submit regular privacy audits as part of a 2017 settlement, which was revised to address the 2016 data breach. Uber still faces lawsuits from some cities and private parties over the breach.