CHICAGO (CBS/AP) — Uber has agreed to pay $148 million and take steps to tighten data security, after the ride-hailing company failed for a year to notify drivers that hackers had stolen their personal information.
Illinois Attorney General Lisa Madigan announced the settlement Wednesday between Uber Technologies Inc. and all 50 states and the District of Columbia.
“Uber completely disregarded Illinois’ breach notification law when it waited more than a year to alert people to a serious data breach,” Madigan said.
Madigan said that although Uber is now taking appropriate steps, “the company’s initial response was unacceptable. Companies cannot hide when they break the law.”
Pennsylvania Attorney General Josh Shapiro says at least 13,500 Uber drivers in the state were affected by the breach. Under terms of the nationwide settlement, the Pennsylvania Office of the Attorney General will receive $5.7 million from Uber. Approximately $1.35 million will go to the drivers affected as each will receive a $100 payment.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this data breach,” Shapiro said in a statement. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and keep quiet. That is outrageous corporate misconduct, and today’s settlement holds them accountable and requires real changes in their corporate behavior.”
Uber learned in November 2016 that hackers had accessed personal data, including driver’s license information, for roughly 600,000 Uber drivers in the U.S. The company acknowledged the breach in November 2017, saying it paid $100,000 in ransom for the stolen information to be destroyed.
Tony West, chief legal officer for Uber, said the decision by current managers was “the right thing to do.”
“It embodies the principles by which we are running our business today: transparency, integrity, and accountability,” West said.
The hack also took the names, email addresses and cell phone number of 57 million riders around the world.
All 50 states and the District of Columbia sued Uber, saying the company violated laws requiring it to promptly notify people affected by the breach.
(© Copyright 2018 CBS Broadcasting Inc. All Rights Reserved. The Associated Press contributed to this report.)