Uber agrees to pay $148 million for 2016 hack and cover-up
Anthony Wallace/AFP/Getty Images
Uber’s 2016 shenanigans that saw it fail to report a massive data breach and led to it paying the hackers $100,000 has ended up costing the company $148 million.
The ridesharing giant has agreed to pay the sum after reaching a settlement with all 50 U.S. states and the District of Columbia that had accused it of breaking the rules.
The breach, in which hackers gained access to personal information linked to 57 million Uber customers and drivers around the world, came to light toward the end of 2017, a year after it had taken place. Uber knew about the hack but had tried to conceal it, going so far as paying the hackers $100,000 to destroy the stolen data.
The Washington Post described the $148 million settlement as “the largest multi-state penalty ever levied by state authorities” for an incident of this nature, and marks “the first time the company has settled a matter with the top law enforcement officials from all 50 states and the District.”
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” California Attorney General Xavier Becerra said in a statement. “The company failed to safeguard user data and notify authorities when it was exposed.”
Becerra said that consistent with Uber’s substandard corporate culture at the time, the company “swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data.”
The data breach took place during Travis Kalanick’s time as CEO and at a time when the company was fighting battles on multiple fronts. Dara Khosrowshahi replaced Kalanick in August 2017 and during an overhaul of the company’s business practices, insiders revealed its wrongdoing.
Khosrowshahi said he only found out about the hack shortly before it was made public, admitting that the company should have notified regulators as soon as they learned of the incident.
“None of this should have happened, and I will not make excuses for it,” the CEO said at the time while insisting that Uber would learn from its mistakes.
The $148 million fine will be split among the states and each will decide how the money is used. Uber has also agreed to continue with ongoing efforts to incorporate new systems aimed at preventing future hacks, and to improve its corporate culture.
In his first day in the job as Uber’s chief legal officer, Tony West said on Wednesday that he was “pleased” the agreement had been reached, adding that it had been right for its current management team to disclose the incident, and that the decision “embodies the principles by which we are running our business today: transparency, integrity, and accountability.”
- Hack affects 2 million T-Mobile customers, unclear if passwords included
- Millions of health records may be at stake in ransomware attack
- Dixons Carphone hack exposes 5.9 million cards, 10 million accounts
- Timehop data breach may have compromised 21 million email addresses
- Apple shrugs off Fitbit and Garmin to remain king of smartwatches