Uber Will Pay $148M to Settle 2016 Data Breach Case

Uber will pay the offices of the California Attorney General and the San Francisco District Attorney $148M to settle charges that stemmed from the company’s 2016 data breach that exposed the personal information of 57 million drivers, as well as some customers.

The California authorities announced the agreement with the ride-sharing company on September 26. In addition to the fine, Uber has agreed to implement much tougher security standards to ensure a data breach of this size does not happen again.

The case stems from the 147,000 drivers in California that were affected by the data breach, which exposed personal data such as names and driver’s license numbers. Overall, the AG’s office and the DA will split $26M, with the rest of the money distributed to other states that had filed charges against Uber.

The data breach exemplified Uber’s culture at that time.

For over 13 months, Uber executives tried to hide the data breach from customers, regulators and the overall public. In addition, the company paid the cybercriminals behind the breach about $100,000 to erase the stolen data.

The incident happened under the leadership of Travis Kalanick, Uber’s founder, who was still CEO at the time. It’s that type of behavior that earned particular scorn from the California AG.

“The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law,” California Attorney General Xavier Becerra wrote in a statement released Wednesday. “Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data.”

The breach was one of many reasons that led to Kalanick stepping down as CEO. Current CEO Dara Khosrowshahi would write a blog post in 2017 explaining the data breach and attempting to make amends.

That attitude was reflected in a statement Uber released to announce the agreement.

“Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity and accountability,” Tony West, Uber’s chief legal officer, wrote in an email. “An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward.”

— Scott Ferguson is the managing editor of Light Reading and the managing editor of TU Automotive. Follow him on Twitter @sferguson_LR.

Leave a comment

Your email address will not be published. Required fields are marked *