Ride-hailing firm Uber has been ordered to pay $148m to 50 US states and Washington DC for failing to disclose a mass data breach in 2016.
The settlement, announced on September 26 by California Attorney General Xavier Becerra, marks the end of a 10-month investigation into the breach that exposed personal data from 57 million Uber accounts. The data revealed included the licence plates of 600,000 drivers across the globe.
The breach was discovered by Uber in October 2016, when Joe Sullivan, the company’s chief security officer at the time, received an email notifying him of “major vulnerability” in Uber’s system. Rather than report the incident to the authorities, the company opted to pay hackers $100,000 to destroy the stolen data. The payment was made possible by Uber’s ‘bug bounty’ program, which compensates hackers for reporting flaws in the company’s software.
Despite recent promises to improve security measures, Uber continues to pay the price for its previous actions
Current CEO Dara Khosrowshahi disclosed the hack to authorities in November 2017. The incident took place under previous CEO Travis Kalanick, who left the company in June 2017 amid a storm of legal challenges. Khosrowshahi apologised for the fact that the breach had not been disclosed sooner.
The $148m settlement fee will be divided across all 50 states and the District of Columbia. California, which led the settlement case, will receive $26m.
In a press release, Becerra declared that Uber “swept the breach under the rug in deliberate disregard of the law”. He also stated: “Uber’s decision to cover up this breach was a blatant violation of the public’s trust.”
The terms of the settlement include compulsory changes to Uber’s business practices, which are designed to protect its users from further breaches. One such change includes the appointment of an executive officer to create and implement a comprehensive information security programme. The company will also be required to report any data security incidents to individual states on a quarterly basis for the next two years.
In a statement posted to the Uber website, the company’s chief legal officer, Tony West, said: “We know that earning the trust of our customers and the regulators we work with globally is no easy feat.” He promised that the company would “continue to invest in protections to keep [its] customers and their data safe and secure”.
The case sends a powerful message to Uber that its secretive corporate culture, penchant for ignoring the law and bad business ethics will not be tolerated in the US. Despite recent promises to improve security measures, the company continues to pay the price for its previous actions.
Although the case has been settled, Uber still faces a number of further lawsuits pertaining to the 2016 breach. These include legal challenges from the individuals whose data was leaked, as well as from the cities of Chicago and Los Angeles.