Uber has agreed to pay $148 million to settle allegations from 50 states and the District that the ride-hailing company violated data breach laws when it waited a year to disclose a hack affecting tens of millions of its riders and drivers.
The settlement is among the biggest in Uber’s history and marks the first time the company has settled a matter with the top law enforcement officials from all 50 states and the District. It is the largest multistate penalty ever levied by state authorities for a data breach.
The announcement came just as lawmakers on Wednesday were debating whether to write a national consumer privacy law, with witnesses testifying from companies such as Apple, Google and Twitter.
Uber not only waited a year to disclose the breach — which exposed names, email addresses and phone numbers of 57 million people around the world — but also paid $100,000 to the hackers to keep the incident quiet.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” California Attorney General Xavier Becerra said in a statement. “Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect that data.”
The breach was disclosed in November after an investigation ordered by Uber chief executive Dara Khosrowshahi. On Wednesday, the company’s chief legal officer, Tony West, said in a blog post that the matter came to his attention on his first day on the job last year.
“Rather than settling into my new workplace and walking the floor to meet my new colleagues, I spent the day calling various state and federal regulators,” West wrote.
As part of the settlement, Uber will be required to make changes to its practices and to its corporate culture. Uber agreed to undergo regular third-party audits of its security practices and to set up a program allowing employees to file concerns about ethics violations they may have witnessed while on the job. It also agreed to take precautions to safeguard any Uber data that may be held by third parties, according to New York’s attorney general’s office.
“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” said New York Attorney General Barbara Underwood.
This summer, Uber hired a former lawyer for Intel as its chief privacy officer and a former general counsel for the National Security Agency as its chief trust and security officer.