Uber pays $148 million for 2016 cover up

Last month, California Attorney General Xavier Becerra and San Francisco District Attorney George Gascón announced a $148 million nationwide settlement resolving allegations that Uber violated state data breach reporting and reasonable data security laws, in connection with its 2016 breach of driver and customer data.

Uber is accused of exposing 57 million users’ data and paying hackers to cover up the breach rather than reporting it to proper authorities.

Specifically, in addition to the civil penalties, the settlement also requires that Uber:

• Implement and maintain robust data security practices.
• Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
• Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded.
• Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
• Report any data security incidents to states on a quarterly basis for two years.
• Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training.

“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” said Attorney General Becerra. “The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.”

“We wholeheartedly support innovative business models, but new ways of engaging in business cannot come at the expense of public safety or consumer privacy,” said District Attorney George Gascón.