Uber Settles Its Largest Lawsuit After Hiding Major Data Hack From Users

Uber on Wednesday settled its largest lawsuit ever after it allegedly concealed a hack that affected millions of its riders and drivers, violating data-breach laws, according to an agreement.

“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” Barbara Underwood, New York’s attorney general, said on Wednesday.

The settlement requires the ride-sharing company to pay a record penalty of $148 million to all 50 states and the District of Columbia—the largest multi-state penalty ever imposed by state authorities for a data breach, the New York attorney general’s office confirmed to The Daily Beast.

In addition to the monetary penalty, Uber is required to strengthen its data-security practices and comply with stricter cyber-security standards by hiring an independent third party to assess their internal practices, the settlement states.

“I’m pleased that we’ve reached an agreement with the attorneys general of all 50 states and the District of Columbia to resolve their legal inquiries on this matter,” Tony West, Uber’s chief legal officer, said in a statement on Wednesday. “The commitments we’re making in this agreement are in line with our focus on both physical and digital safety for our customers.”

The November 2016 data breach occurred when a hacker managed to access Uber’s information belonging to 57 million riders and drivers, including the names and license numbers for 600,000 drivers. The breach prompted a nationwide investigation led by state attorneys general to decide whether the company violated data-breach notification laws by failing to inform riders that their personal data had been compromised.

Instead of disclosing the breach, the investigation alleged, Uber paid the hacker $100,000 through its “bug bounty program,” which rewards hackers for discovering software flaws. Uber allegedly asked the hacker to delete the data and subsequently sign a non-disclosure agreement.  

“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” Xavier Becerra, California’s attorney general, said in a statement. “The company failed to safeguard user data and notify authorities when it was exposed.”

It took a year for the mishap to become public, after the company hired a law firm to investigate their security team after another lawsuit alleged stolen trade secrets in relation to self-driving cars.

Once the law firm learned of the breach, the settlement states, Uber hired an outside forensic firm to investigation and informed the public.

“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Dara Khosrowshahi, Uber’s chief executive, said at the time before firing the two employees who had signed off on the payment.

West claimed that Uber did, in fact, inform officials when it occurred. “Rather than settling into my new work space and walking the floor to meet my new colleagues,” he said, “I spent the day calling various state and federal regulators.”

Following the announcement, the Federal Trade Commission began its own investigation into the company. And in April, the commission reached its settlement and ruled Uber must submit to regular privacy audits, which was revised this year to include the most recent breach.

“We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose,” West said.

This settlement announcement came just as policymakers on Wednesday debated whether to write a new national consumer privacy law—with help from major tech companies.

The Senate Commerce Committee Chairman heard testimony on Wednesday from tech executives on what they believe would make an effective new privacy law. “We believe privacy is a fundamental right, not a privilege,” Damien Kieran, Twitter’s data protection officer, said to lawmakers.

These tech companies—Apple, Google, Amazon, AT&T, Charter, and Twitter—are the main proponents of a new privacy law, publicly stating that they are ready to work with lawmakers to ensure the bill’s success.

“Perhaps for the first time, there is widespread agreement among industry policymakers and many consumer groups of the need for a new and comprehensive federal privacy law,” Leonard Cali, AT&T senior vice president global public policy, said on Wednesday.

The proverbial olive branch comes after months of pressure elected officials have placed on tech giants regarding privacy and regulation. The tone has shifted, however, from questioning the integrity of those companies to asking for help to create a consumer privacy law that would universally mend data collection breaches.

Bud Tribble, Apple’s vice president for software technology, acknowledged the severe risk posed by data breaches like Uber’s, and emphasized that Apple wants to better ensure customers that their data will not be vulnerable to hackers.

“We want your device to know everything about you; we don’t think that we should,” Tribble said.