Uber Agrees to Pay $148 Million to Settle 2016 Data Breach Allegations

809
SHARE

Uber Technologies agreed to pay $148 million to settle allegations in connection with its 2016 data breach.  More than 57 million people worldwide including 600,000 U.S. drivers were affected by the incident.

All 50 state Attorneys General and the District of Columbia are part of the multistate settlement agreement with Uber. They alleged that the ride-sharing company violated their state’s data breach reporting and data security laws. Acc

In their investigation, the state attorneys general found that Uber attempted to cover up the massive data breach. The company paid the hackers $100,000 to delete the stolen data and to conceal the hacking. They sued the compay for its “outrageous corporate misconduct.”

In addition to the $148 million penalty, the ride-sharing company agreed to do the following:

  1. Implement and maintain robust data security practices.
  2. Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
  3. Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
  4. Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
  5. Report any data security incidents to states on a quarterly basis for two years.
  6. Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training.

Comment by several state attorneys general

On Thursday, California Attorney General Xavier Becerra, said, “Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities… Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.”