On September 26th, Uber agreed to pay a record $148 million to settle allegations that the company intentionally concealed a major data breach in 2016.
The settlement ends a multistate investigation that found the ride-hailing company paid hackers $100,000 to conceal the breach, which exposed the names, email addresses, and cellphone numbers of 57 million users.
Uber failed to notify the 57 million individuals of the data breach and only provided public notice of the breach a year after it happened in late 2016.
Uber said in a November 2017 statement from CEO Dara Khosrowshahi that the breach was carried out by two hackers outside the company. The hackers accessed user data on a third-party, cloud-based service the company uses to store information. The hackers, however, were not able to download users’ Social Security numbers, bank account information, credit card numbers, dates of birth, and trip history, according to the company.
The hackers were however able to collect the names, email addresses, and cellphone numbers of 57 million Uber customers and the driver’s license numbers of about 600,000 drivers, according to the company.
A Change in Business Practices
In addition to the monetary payment, Uber is required under the settlement to change business practices to avoid future breaches and to hire a third party to audit its data security processes.
Uber also promised to develop a new policy on data security that will assess the potential risk of future breaches and implement improvements beyond current practices. The company will be required to engage an outside contractor to examine its security efforts regularly and recommend improvements. In an effort to prioritize security, the company also recently hired a chief privacy officer and chief trust and security officer.
Uber will also have to take additional precautions to protect the user data it stores on third-party platforms, such as the one hackers accessed in 2016. If there is another breach, employees must also have an avenue to report any ethics concerns they have about other employees. Additionally, employees will also now be subject to stricter internal password requirements.
The settlement does not resolve, however, any liability that Uber may have to consumers and Uber is still litigating claims related to the breach.