Uber is having to pay a whopping $148 million to settle allegations that they covered up a data breach in 2016, which saw hackers steal personal information of around 25 million users and drivers in the United States.
According to NPR, the ride-hailing company paid the hackers $100,000 to insure the information wouldn’t be misused instead of reporting the stolen data to the authorities.
Uber CEO Dara Khosrowshahi only revealed the extent of the situation in November last year, when he said the hackers had downloaded personal data from of over 50 million users around the globe – including their names, email addresses, and mobile phone numbers.
Of those 57 million people, 600,000 were Uber drivers — whose names and driver’s license numbers were also targeted.
The scandal took place when former CEO Travis Kalanick was still in charge. He resigned mid-2017 amid accusations that the startup’s ethical practices were dubious.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed,” California Attorney General Xavier Becerra said as he announced the settlement on Wednesday.
The lawsuit against the firm was filed by attorneys general from all across the 50 states as well as the District of Columbia. In addition to the payout, Uber also said that they would strengthen their data security measures, agreeing to provide security updates to the states every three months for the next couple of years.
As reported by WCJB, Uber’s chief legal officer, Tony West, said that the decision to acknowledge the breach by current managers was “the right thing to do.”
“It embodies the principles by which we are running our business today: transparency, integrity, and accountability. An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward,” West said.
When news of the breach broke out last year, the San Francisco-based company claimed that data such as trip location history, Social Security numbers, credit card numbers, bank account numbers, or dates of birth hadn’t been targeted as hackers stole only the information that was stored in a “third-party, cloud-based service.”
In response to the data breach, Uber fired chief security officer Joe Sullivan — who went on to say the firm hadn’t paid the hacker a “ransom” but rather a “bug bounty” in exchange for the stolen data. The company also claimed that they were “assured” that the hackers deleted the data at the time.
Uber will still have to handle individual lawsuits, as well as charges from some cities, due to its handling of the data breach.