Uber to pay US states $202m over data breach

An Uber logo is seen on a car as it car drives through Times Square in New York City. PHOTO: REUTERS
Updated
Sep 28, 2018, 07:51 AM
Published
Sep 28, 2018, 05:00 AM

SAN FRANCISCO • Uber will pay US$148 million (S$202 million) to settle a US investigation into a 2016 data breach, in which a hacker managed to gain access to information belonging to 57 million riders and drivers.

The breach included names and licence numbers of 600,000 drivers.

The investigation, led by state attorneys-general across the United States, focused on whether Uber had violated data breach notification laws by not informing consumers that their information had been compromised.

Rather than disclosing the breach when it occurred, Uber paid the hacker US$100,000 through its bug bounty programme, which financially rewards hackers for discovering and disclosing software flaws.

The ride-hailing company persuaded the hacker to delete the data and stay quiet about it with a non-disclosure agreement.

The incident became public a year later, when Uber's chief executive, Mr Dara Khosrowshahi, announced it as a "failure" and fired the two employees who had signed off on the payment.

"Uber's decision to cover up this breach was a blatant violation of the public's trust," Mr Xavier Becerra, California's attorney-general, said in a statement. "The company failed to safeguard user data and notify the authorities when it was exposed."

More On This Topic
Uber's 2016 data breach affected 380,000 in Singapore, biggest reported breach here
Uber concealed cyber attack that exposed data of 57 million users and drivers
Uber data breach: Other cases involving massive hacking

Mr Tony West, Uber's chief legal officer, said the settlement was part of a larger effort by Uber to remake the company's image.

He said the company had recently hired a chief privacy officer and a chief trust and security officer.

"We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose," Mr West said. He added that the breach was disclosed to the public during his first day on the job.

"Rather than settling into my new work space and walking the floor to meet my new colleagues, I spent the day calling various state and federal regulators," Mr West said.

The US$148 million settlement announced on Wednesday will be divided among all 50 states and the District of Columbia.

"Companies in California and throughout the nation are entrusted with customers' valuable private information," Mr Becerra said. "This settlement broadcasts to all of them that we will hold them accountable to protect that data."

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on September 28, 2018, with the headline Uber to pay US states $202m over data breach. Subscribe

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top