Uber to pay $148 million in data breach settlement

Uber has agreed to pay $148 million to settle a data breach that affected some 57 million customers in 2016.

The agreement was with the attorneys general of all 50 states and the District of Columbia to resolve their legal inquiries on this matter, Uber’s chief legal officer Tony West said in a statement released Wednesday.

The data breach affected 50 million riders and 7 million drivers; around 600,000 driver license numbers for U.S. drivers were also included in the breach.

Uber’s response and cover up of the breach led to the firing of Joe Sullivan, the company’s chief security officer at the time. Uber didn’t report the incident that occurred in October 2016. Instead, the company paid hackers $100,000 to get rid of the evidence and keep the data breach a secret, which Bloomberg first reported.

The data breach and ensuing cover up was revealed in November, more than a year after it had occurred and just a few months after Dara Khosrowshahi had taken the CEO position.

West noted that Uber (and in Khosrowshahi’s first year as CEO) has worked to improve safety and security following the scandal. For instance, Uber hired in 2018 Ruby Zefo as chief privacy officer and Matt Olsen as chief trust and security officer.

The hiring of Zefo, who led Intel’s global privacy and security legal team, and Olsen is part of the company’s mission to move past the embarrassing data breach, as well as other weak privacy practices employed by former CEO Travis Kalanick, who resigned in 2017 after a string of scandals. In April, Uber expanded a proposed settlement made with the Federal Trade Commission pertaining to data mishandling, privacy and security complaints that date back to 2014 and 2015. That proposed settlement happened prior to Uber’s disclosure of the 2016 data breach.