Uber reaches $148 million settlement over 2016 data breach

Uber on Wednesday agreed to pay a $148 million nationwide settlement resolving allegations that the ride-hailing company failed to properly report a massive data breach in 2016.

The company admitted to paying hackers $100,000 to destroy data stolen in a 2016 breach that exposed 57 million users in an effort to cover up the incident, rather than reporting the hack to authorities as required by law.

{mosads}The hackers had stolen personal information of riders and drivers, including names, email addresses and mobile phone numbers. They also made off with driver’s license information for approximately 600,000 drivers.

State attorneys general made the announcement regarding the company’s largest settlement, which was reached with all 50 states as well as Washington, D.C.

“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” California Attorney General Xavier Becerra (D) said in a statement.

“The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.”

Uber had also reached a settlement earlier this year with the Federal Trade Commission requiring the company to implement a comprehensive privacy program and undergo regular privacy audits for the next 20 years. That settlement has yet to be finalized.

State attorneys general emphasized that this settlement should serve as a warning shot to other companies that they will be held “accountable” if they do not properly protect their customer’s private information.

“New Yorkers deserve to know that their personal information will be protected — period,” New York Attorney General Barbara Underwood (D) added in a statement. “This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation.”

The breach was disclosed in November.

The settlement, which will benefit all 50 states and Washington D.C., also requires Uber to adopt a model data breach notification and data security practices in an effort to reform the company’s practices.

The Hill has reached out to Uber for comment.

The company admitted to Congress earlier this year that it had made a mistake in not disclosing the breach to authorities.

The incident took place under its former CEO Travis Kalanick, who was pushed out of the company last year after a bitter feud with investors over a series of scandals at the company and was not revealed until his successor took over.