Uber will pay a $148 million fine as part of a settlement reached with state law enforcement officials over allegations it attempted to conceal a 2016 data breach affecting millions of its users, the company said.
The rideshare company has also agreed to adopt new data security and breach notification policies, not limited to the hiring of a third-party auditor to regularly assess its practices. Additionally, the settlement requires Uber to develop and implement a “corporate integrity program” designed to aid employees who seek to report ethics concerns.
In November, it was revealed that Uber had, in early 2016, paid off “hackers” who gained access to the personal data of 57 million Uber riders, including email addresses, phone numbers, and drivers licenses numbers. Disclosure of the secret payment, $100,000, led to the firing of multiple executives.
In a statement, Uber Chief Legal Officer Tony West said that he was “pleased” to announce the settlement while praising the company’s “current management” over its decision to disclose the incident. “We know that earning the trust of our customers and the regulators we work with globally is no easy feat,” he said. “After all, trust is hard to gain and easy to lose.”
Citing recent hires Ruby Zefo and Matt Olsen—Uber’s new chief privacy officer and chief trust & security officer, respectively—West said the company will continue to invest in its security and remains committed “to maintaining a constructive and collaborative relationship with governments around the world.”
The New York State Attorney General’s office said it played a lead role in securing the settlement, which involves 50 states plus the District of Columbia. The office had been probing the Uber breach independently before joining the multistate investigation run by the attorneys general.
“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” New York Attorney General Barbara Underwood said in a statement. “We’ll continue to fight to protect New Yorkers from weak data security and criminal hackers.”
News of the settlement came as executives for Apple, Google, Amazon, and other leading tech companies testified on Capitol Hill about the need for a national privacy law that would also create a single breach notification policy for the entire country, replacing the confusing patchwork of state laws currently protecting consumers.