Uber is paying $148 million to settle claims over the ride-hailing company's cover-up of a data breach in 2016, when hackers stole personal information of some 25 million customers and drivers in the U.S.
Instead of reporting the stolen data as required by law, Uber paid the hackers $100,000. That was in late 2016; it wasn't until November 2017 that Uber CEO Dara Khosrowshahi revealed that hackers had downloaded the names, email addresses and mobile phone numbers of 57 million Uber users around the world. The figure included 600,000 of the company's drivers, whose names and driver's license numbers were also at risk.
Uber paid the hackers when the company was still run by its former CEO, Travis Kalanick — who resigned in the middle of 2017 in the face of numerous accusations about the burgeoning start-up's culture and ethical practices.
"Uber's decision to cover up this breach was a blatant violation of the public's trust," California Attorney General Xavier Becerra said in announcing the settlement. "The company failed to safeguard user data and notify authorities when it was exposed."
Attorneys general from all 50 states and the District of Columbia filed a lawsuit over the breach. They announced the settlement on Wednesday, saying that in addition to the penalty, Uber agreed to bolster its data security practices and to give quarterly security updates to the states for the next two years.
Uber's chief legal officer, Tony West — who joined the company just as the hacking case was made public — said that paying the settlement was part of Uber's focus on "taking responsibility for past mistakes, learning from them, and moving forward."
When Uber revealed the breach, it said the hackers had targeted data stored on a third-party, cloud-based service and that the information that was exposed did not include trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth.
The San Francisco-based company says it contacted the hackers and "obtained assurances" that the downloaded data had been deleted.
As NPR's Yuki Noguchi reports, "By not reporting the breach for a year, regulators say the company left its drivers vulnerable to financial fraud and identity theft. This settlement comes as Uber prepares to sell shares to the public for the first time next year."
As part of its response to the data breach, Uber fired Joe Sullivan, its chief security officer. After the hack became public, Sullivan defended the company's handling of the issue, saying Uber had paid a "bug bounty" to the hacker, rather than a ransom for stolen data. It was part of an ongoing security program and not, Sullivan said, a cover-up. But others, both at the company and at regulatory agencies, disagreed.
Uber is still facing lawsuits from private parties and from some cities over its handling of the 2016 breach.
In July, the Federal Trade Commission began sending checks totaling nearly $20 million to Uber drivers in 19 cities, after finding that they were misled by exaggerated claims of the income they could make. Those payments stem from a separate 2017 settlement.