Uber Agrees to Pay $148 Million to Settle 2016 Data Breach Allegations


Uber Technologies agreed to pay $148 million to settle allegations in connection with its 2016 data breach.  More than 57 million people worldwide including 600,000 U.S. drivers were affected by the incident.

All 50 state Attorneys General and the District of Columbia are part of the multistate settlement agreement with Uber. They alleged that the ride-sharing company violated their state’s data breach reporting and data security laws. Acc

In their investigation, the state attorneys general found that Uber attempted to cover up the massive data breach. The company paid the hackers $100,000 to delete the stolen data and to conceal the hacking. They sued the compay for its “outrageous corporate misconduct.”

In addition to the $148 million penalty, the ride-sharing company agreed to do the following:

  1. Implement and maintain robust data security practices.
  2. Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
  3. Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
  4. Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
  5. Report any data security incidents to states on a quarterly basis for two years.
  6. Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training.

Comment by several state attorneys general

On Thursday, California Attorney General Xavier Becerra, said, “Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities… Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.”

In addition, Becerra said, “Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data.”

On the other hand, New York Attorney General Barbara Underwood, commented, “This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation. We’ll continue to fight to protect New Yorkers from weak data security and criminal hacker.”

Meanwhile, Pennsylvania Attorney General Josh Shapiro, reiterated that Uber violated the state’s law and condemned its misconduct. He said, “Today’s settlement holds them accountable and requires real changes in their corporate behavior.”

California will receive $26 million share of the settlement. The money will be divided between the state attorney general’s office and the San Francisco district attorney’s office.

New York will receive approximately $5.1 million share while Pennsylvania will get $5.7 million share of the settlement.