Uber is paying $148 million to settle claims over the ride-hailing company’s cover-up of a data breach in 2016, when hackers stole personal information of some 25 million customers and drivers in the U.S.
Instead of reporting the stolen data as required by law, Uber paid the hackers $100,000. That was in late 2016; it wasn’t until November 2017 that Uber CEO Dara Khosrowshahi revealed that hackers had downloaded the names, email addresses and mobile phone numbers of 57 million Uber users around the world. The figure included 600,000 of the company’s drivers, whose names and driver’s license numbers were also at risk.
Uber paid the hackers when the company was still run by its former CEO, Travis Kalanick — who resigned in the middle of 2017 in the face of numerous accusations about the burgeoning start-up’s culture and ethical practices.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” California Attorney General Xavier Becerra said in announcing the settlement. “The company failed to safeguard user data and notify authorities when it was exposed.”
Attorneys general from all 50 states and the District of Columbia filed a lawsuit over the breach. They announced the settlement on Wednesday, saying that in addition to the penalty, Uber agreed to bolster its data security practices and to give quarterly security updates to the states for the next two years.