Skip to main content

Uber Technologies Inc has settled with the top legal officers in all 50 U.S. states over a massive data breach it failed to disclose in 2016, one of the biggest embarrassments and legal tangles the ride-hailing company has suffered over the last couple of years.

State attorneys general said on Wednesday that Uber will pay $148 million to settle the matter, with payments distributed in varying amounts across the states and Washington, D.C.

The amount is precedent setting for attorneys general settlements in privacy cases. By comparison, the multi-state settlement with Target Corp in 2017, over a breach in which 41 million people had their data stolen, was just $18.5 million.

The settlement follows a 10-month investigation into a data breach that exposed personal data from 57 million Uber accounts, including 600,000 driver’s license numbers. Uber’s new Chief Executive Dara Khosrowshahi disclosed the breach in November, more than a year after the company was hacked under the previous CEO. Khosrowshahi has said the incident should have been disclosed to regulators at the time it was discovered in 2016.

The cover-up, widely seen by states as violating data breach reporting and data security laws, drew the ire of authorities across the United States and also in the United Kingdom, Australia and the Philippines. About half of the data breach victims lived in the United States.

The settlement terms include changes to Uber’s business practices aimed at preventing future breaches and reforming its corporate culture. Uber will be required to report any data security incidents to states on a quarterly basis for the next two years, and implement a comprehensive information security program overseen by an executive officer who advises executive staff and Uber’s board of directors.

“We know that earning the trust of our customers and the regulators we work with globally is no easy feat,” said Uber Chief Legal Officer Tony West. “We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”

In November 2016, Uber paid the hackers - who included a 20-year-old Florida man and a hacker in Canada - $100,000 to destroy the stolen data, using its “bug bounty” program, which is designed to reward security researchers who report flaws in a company’s software. Uber then chose not to report the matter to victims or authorities.

“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” said California Attorney General Xavier Becerra. “Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.”

California, one of lead states in the settlement effort, will keep $26 million, to be split between the state Attorney General’s Office and the San Francisco District Attorney’s Office, a spokeswoman for Becerra’s office said.

Khosrowshahi fired two of Uber’s top security officials when he announced the breach, and other members of that team have since departed. The company recently hired a chief privacy officer and chief security officer.

It still faces lawsuits from riders, drivers and the cities of Chicago and Los Angeles over the data breach.

Interact with The Globe