Uber Technologies Inc. will pay $148 million to settle claims related to a large-scale data breach that exposed the personal information of more than 25 million of its U.S. users.
The settlement, spanning all 50 states and the District of Columbia, is the biggest data-breach payout in history, and marks the most sweeping rebuke by regulators against the San Francisco-based company, which earned a reputation for skirting rules in its push to dominate the ride-hailing market. The states’ agreement stemmed from data compromised in 2016 by hackers, who obtained 607,000 U.S. driver’s license numbers as well as tens of millions of consumer email addresses and phone numbers, a leak that Uber failed to disclose for more than a year after discovering the attack.
“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” said New York Attorney General Barbara Underwood in a statement Wednesday.
The penalty comes at a pivotal time for Uber Chief Executive Officer Dara Khosrowshahi, who is laying the groundwork for a 2019 initial public offering while working to distance the brand from the controversial growth-at-all-costs approach established under his predecessor, co-founder Travis Kalanick. Bloomberg News reported last November that Kalanick learned of the 2016 breach just a month after hackers stole the personal data on 57 million of Uber’s customers around the globe, including 25.6 million riders and drivers in the U.S. But the company concealed the breach from authorities and instead paid the hackers $100,000 to delete the stolen data and keep the incident quiet.
After the episode came to light, Uber ousted its chief security officer and disclosed the breach to the Federal Trade Commission, which had already reprimanded the company for a similar data breach from 2014.
“The commitments we’re making in this agreement are in line with our focus on both physical and digital safety for our customers, as exemplified by our recent announcement of a host of safety and security improvements and our recent hiring of experts like Ruby Zefo as Chief Privacy Officer and Matt Olsen as Chief Trust & Security Officer,” Uber Chief Legal Officer Tony West said in a statement Wednesday.
The nine-figure settlement will be distributed to the states, rather than directly to those affected in the breach. In Iowa, for example, its $612,950 share of the settlement will go to the state’s Consumer Education and Litigation Fund. New York is receiving about $5.1 million. As part of the agreement, Uber also promised to improve its security policies and hire an outside party to monitor its data-privacy efforts and regularly report on necessary improvements.