Uber Technologies has reached a $148 million settlement agreement with the attorneys general of all 50 states and the District of Columbia. The settlement stems from the company's failure to report a massive 2016 data breach in a timely manner, as well as the company's inadequate information security practices.
The $148 million settlement, to be split between states, appparently is the largest privacy settlement ever reached between state regulators and a breached business.
Uber's penalty easily dwarfs the $18.5 million settlement agreement between states and Target over its 2013 breach, which resulted in attackers compromising 41 million customers' payment card details as well as contact details for more than 60 million customers.
Under the terms of the settlement agreement, Uber must put in place "privacy by design" practices, report all data security incidents to states on a quarterly basis for the next two years, and create a corporate integrity program and maintain a hotline for reporting any data security or privacy misconduct.
Uber says the breach exposed personal information for 25 million users in the U.S., of which 4.1 million were drivers. For the driver accounts, 600,000 contained license numbers. Subsequently, it emerged that Uber had paid $100,000 to a 20-year-old in Florida for what it portrayed as a "bug bounty" tied to a breach of code that Uber's engineers appeared to have uploaded to the GitHub code-sharing service. Many information security experts said that the cover-up and payment - in exchange for the developer agreeing to delete the data - looked less like a bug bounty and more like hush money. Indeed, California authorities this week minced no words, saying that "Uber covered up the breach and then paid hackers $100,000 in exchange for their silence."
"Uber's decision to cover up this breach was a blatant violation of the public's trust," California Attorney General Xavier Becerra says in a statement. "The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers' valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data."
Uber has promised to do better, "We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose," says Tony West, Uber's chief legal officer, in a blog post.
West joined Uber just after the company notified the public about the 2016 breach, and in his blog post, he pledged "transparency, integrity and accountability" from Uber as well as a corporate culture that would learn from and take responsibility for past mistakes, "The commitments we're making in this agreement are in line with our focus on both physical and digital safety for our customers, as exemplified by our recent announcement of a host of safety and security improvements and our recent hiring of experts like Ruby Zefo as chief privacy officer and Matt Olsen as chief trust and security officer," West said.