Uber to dole out $148m settlement among US states over breach it paid $100k to bury

Nice. Ride-hailing app firm also vows to comply with law

Uber will pay $148m to US state authorities in a settlement for the 2016 data breach that saw hackers steal information on 57 million people.

The firm covered up the hack – which exposed names, email addresses and phone numbers of drivers and customers – for almost a year. It also attempted to bribe the thieves, offering them $100,000 disguised as a bug bounty to keep quiet.

However, under the new leadership of Dara Khosrowshahi, the firm 'fessed up in November 2017, and was promptly bombarded with various lawsuits and investigations.

It has now agreed a settlement with the 50 US states and the District of Columbia for $148m – the largest such penalty handed out by multiple states.

The penalty is not being divided equally across the states – for instance, Rhode Island will get $800,000, Arizona, $2.7m, New York, $5.1m, and California, which helped strike the deal, will get $26m.

"Uber's decision to cover up this breach was a blatant violation of the public's trust," said Californian attorney general Xavier Becerra yesterday evening (UK time).

headache woman rubs temples

Uber's London licence appeal off to flying start: No, you cannot do driver eye tests via video link


"Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers' valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data."

The settlement also requires Uber to take certain actions, including the rather obvious condition that it complies with state laws on safeguarding of personal information.

Another doozy is the requirement for "strong password policies" for employees accessing the Uber network.

Other demands made of Uber include it agreeing to have an external audit of its data security efforts on a regular basis and to report any data security incidents to the states on a quarterly basis for two years.

Further requirements are to develop corporate integrity and infosec programmes and commit to increased transparency on data security and privacy – all of which Uber has insisted it has been doing since the breach was made public.

"The commitments we're making in this agreement are in line with our focus on both physical and digital safety for our customers," said chief legal officer Tony West, pointing to recent announcements on safety and new hires in the security team. ®

Similar topics

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022