Uber has reached a settlement with all 50 states and the District of Columbia that sued the ride-sharing company over its massive data breach and its failure to quickly notify affected parties.
The company will pay $148 million and beef up its security in the aftermath of the 2016 breach. Hackers stole personal information about both drivers and riders but failed to promptly announce it as required by law.
“Uber completely disregarded Illinois’ breach notification law when it waited more than a year to alert people to a serious data breach,” said Illinois Attorney General Lisa Madigan. “While Uber is now taking the appropriate steps to protect the data of its drivers in Illinois and across the country, the company’s initial response was unacceptable. Companies cannot hide when they break the law.”
Illinois, and most other states have laws requiring immediate notification when a company discovers that its network has been breached by hackers. Madigan says Uber learned of the breach soon after it happened in 2016 but violated the law when it didn't immediately disclose it.
More than 57 million people affected
According to the suit, hackers invaded Uber's internal databases and acquired the names, email addresses and mobile phone numbers of 57 million Uber riders and drivers, as well as the names and drivers license numbers of 600,000 U.S.-based drivers.
“Uber failed to immediately report this data breach and tried to pay hush money to hackers,” said Massachusetts Attorney General Maura Healey. “This settlement should be a lesson to other businesses that consumers have a right to know when their personal information has been compromised.”
Connecticut Attorney General George Jepsen said his state will use a portion of the settlement money to compensate Uber drivers who were affected by the breach.
In its settlement with all the states, Uber has agreed to apply with all state data breach and consumer protection laws and take new precautions to protect all user data stored on third-party networks.