Uber to pay US states $202m over data breach

An Uber logo is seen on a car as it car drives through Times Square in New York City.
An Uber logo is seen on a car as it car drives through Times Square in New York City.PHOTO: REUTERS

SAN FRANCISCO • Uber will pay US$148 million (S$202 million) to settle a US investigation into a 2016 data breach, in which a hacker managed to gain access to information belonging to 57 million riders and drivers.

The breach included names and licence numbers of 600,000 drivers.

The investigation, led by state attorneys-general across the United States, focused on whether Uber had violated data breach notification laws by not informing consumers that their information had been compromised.

Rather than disclosing the breach when it occurred, Uber paid the hacker US$100,000 through its bug bounty programme, which financially rewards hackers for discovering and disclosing software flaws.

The ride-hailing company persuaded the hacker to delete the data and stay quiet about it with a non-disclosure agreement.

The incident became public a year later, when Uber's chief executive, Mr Dara Khosrowshahi, announced it as a "failure" and fired the two employees who had signed off on the payment.

"Uber's decision to cover up this breach was a blatant violation of the public's trust," Mr Xavier Becerra, California's attorney-general, said in a statement. "The company failed to safeguard user data and notify the authorities when it was exposed."


Mr Tony West, Uber's chief legal officer, said the settlement was part of a larger effort by Uber to remake the company's image.

He said the company had recently hired a chief privacy officer and a chief trust and security officer.

"We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose," Mr West said. He added that the breach was disclosed to the public during his first day on the job.

"Rather than settling into my new work space and walking the floor to meet my new colleagues, I spent the day calling various state and federal regulators," Mr West said.

The US$148 million settlement announced on Wednesday will be divided among all 50 states and the District of Columbia.

"Companies in California and throughout the nation are entrusted with customers' valuable private information," Mr Becerra said. "This settlement broadcasts to all of them that we will hold them accountable to protect that data."

A version of this article appeared in the print edition of The Straits Times on September 28, 2018, with the headline 'Uber to pay US states $202m over data breach'. Subscribe