Uber will pay $148 million in a settlement with all 50 states and Washington, D.C., after evidence emerged last year that it hid a major data breach from the public for more than a year, Iowa Attorney General Tom Miller’s office said in a statement Wednesday.
The ride-sharing service learned in late 2016 that two hackers had accessed the personal data of about 600,000 Uber drivers, as well as roughly 57 million customers. However, Uber did not publicly acknowledge that a breach had occurred until November 2017, acknowledging that it had paid $100,000 to the hackers to delete the data.
“Failing to report data breaches as soon as possible can harm consumers,” Miller said. “If notified, consumers can take actions such as monitoring and freezing their credit reports to prevent identity theft.”
Payouts from the $148 million settlement vary by state. Uber agreed to strengthen its data security practices and comply with stricter cybersecurity standards, as well as corporate governance procedures.
“I’m pleased that we’ve reached an agreement with the attorneys general of all 50 states and the District of Columbia to resolve their legal inquiries on this matter,” Uber Chief Legal Officer Tony West said in a blog post. “The commitments we’re making in this agreement are in line with our focus on both physical and digital safety for our customers.”
Attorneys general from all 50 states accused Uber of violating consumer protection laws by failing to publicize the data breach in short order.
For customers, the stolen data included names, email addresses and phone numbers, while drivers had their names and driver’s license numbers exposed. Uber cut ties with two top executives who handled the company’s initial response to the breach and provided free credit monitoring to impacted drivers.