Uber Agrees To $148M Settlement With Pa., Other States Over Data Breach

Sep 26, 2018

Uber has agreed to pay $148 million and take steps to tighten data security, after the ride-hailing company failed for a year to notify drivers that hackers had stolen their personal information.

Illinois Attorney General Lisa Madigan announced the settlement Wednesday between Uber Technologies Inc. and all 50 states and the District of Columbia.

Uber learned in November 2016 that hackers had accessed personal data, including driver's license information, for roughly 600,000 Uber drivers in the U.S.

The company acknowledged the breach in November 2017, saying it paid $100,000 in ransom for the stolen information to be destroyed.

The states sued Uber, saying the company violated laws requiring it to promptly notify people affected by the breach.

Madigan says "Companies cannot hide when they break the law."

In Pennsylvania, the state Attorney General's office will receive $5.7 million. Uber will also be required to take steps to change its corporate practices to better protect and secure its employees' information and other data.

"The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes," Attorney General Shapiro said. "That's why my Bureau of Consumer Protection took action, and it is why we are also continuing to lead an ongoing national investigation into the Equifax breach."

At least 13,500 Pennsylvania Uber drivers were affected by the breach. Each one who was impacted will receive a $100 payment. 

“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and keep quiet. That is outrageous corporate misconduct, and today’s settlement holds them accountable and requires real changes in their corporate behavior.”

 In a statement on Uber's website, chief legal officer Tony West says that part of being an accountable company with integrity is owning past mistakes and learning from them. 

 "We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world."

 

The remainder of the settlement for the commonealth - $4.35 million - will go to the Attorney General's Public Protection Section and Bureau of Consumer Protection.

*This story was updated Wednesday, Sept. 26 at 4:47 p.m. to include additional comments from Shapiro and the statement from Uber's website.