Uber has reached a $148 million settlement with 50 U.S states, including Washington, D.C., to resolve allegations that it failed to report a significant data 2016 data breach.
The company paid hackers $100,000 to destroy stolen data from the breach which exposed about 57 million users, in an attempt to hush the breach, rather than reporting to relevant authority.
This is just one in a string of embarrassing events emanating from the ride-hailing company which has brought a lot of negative publicity its way.
State attorneys general revealed the terms of the settlement on Wednesday, in this precedent-setting privacy case. The amount involved is more than the comparatively paltry $14 million that Target paid in 2017 over a breach which compromised the data of more than 41 million people.
Uber’s new Chief Executive Dara Khosrowshahi disclosed the breach in November, more than a year after the company was hacked under the previous CEO. Khosrowshahi said the incident should have been disclosed to regulators at the time it of its discovery in 2016.
“Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability,” said Tony West, Uber’s Chief Legal Officer in a statement on Wednesday.
“The commitments we’re making in this agreement are in line with our focus on both physical and digital safety for our customers, as exemplified by our recent announcement of a host of safety and security improvements and our recent hiring of experts like Ruby Zefo as Chief Privacy Officer and Matt Olsen as Chief Trust & Security Officer,” he added.
“New Yorkers deserve to know that their personal information will be protected — period,” said New York Attorney General Barbara Underwood in a statement. “This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” she added.