SAN FRANCISCO (CN) – Uber has agreed to pay $148 million in a multistate settlement over its coverup of a 2016 data breach that resulted in the theft of personal information from 57 million riders and drivers, California’s attorney general said Wednesday.
Uber didn’t admit hackers stole the accounts until a year later in November 2017, after an internal review by its board of directors.
The ride-hail giant fired its security chief Joe Sullivan and one of his deputies for their roles in covering up the hack, which included a $100,000 payout to hackers in exchange for deleting the stolen data and keeping quiet.
Announcing the settlement at a press conference Wednesday, California Attorney General Xavier Becerra said Uber had violated several state laws on reporting data breaches and reasonable data security.
“This settlement should remind all business owners operating in our state that we take violations of privacy very seriously. Whether it’s a data breach or a breach of public trust, we will hold you accountable,” Becerra said.
The money will be divided among all 50 states, but California receives the lion’s share at $26 million. It will be split between Becerra’s office and San Francisco City Attorney’s office to go after future privacy law violators.
“Anyone thinking about trying to evade the law to skirt their responsibility to inform the public and law enforcement that a data breach has occurred, they’d better report it. Don’t think you can hide it and get away with it. You’ll find yourself in the same situation as Uber,” Becerra said.
The settlement contains some historic terms: Uber must report to states any data security incidents quarterly for two years, develop a comprehensive data security program with an executive officer, and set up a hotline for reporting misconduct.
“The terms require Uber to prevent future beaches and reform its corporate culture,” Becerra said. “For the first time in history, an attorney general’s office has required a company to implement privacy by design into its products. This means Uber must integrate privacy considerations and protections in every phase of its products development and design.”
Becerra said these terms are actually more important than the money.
“We’re trying to get these companies to change their behavior upfront. As my mom would always remind me, it’s better to prevent than to remediate,” he said.
Little is known about the hackers Uber paid off in 2016. California Deputy Attorney General Lisa Kim said she could not discuss the ongoing investigation, but did say there were two hackers involved – one from the United States and one from Canada.
Becerra was joined at the press conference by San Francisco District Attorney George Gascon, whose office has been investigating Uber for six years.
“We found out over and over that they were lying to their customers in terms of their security. They were lying to their drivers. They were basically violating every rule in the book,” Gascon said.
“They came in with the attitude that we’re going to ask forgiveness later but we’re going to take over the market.”
Gascon said ousted CEO Travis Kalanick was not very receptive to protecting consumer privacy, but new CEO Dara Khosrowshahi has a markedly different style.
“Unfortunately, we worked with prior leadership and it was not pleasant. It was very aggressive and very unethical leadership. We have seen a shift where people are willing to accept responsibility,” he said. “I believe Uber is moving in a different direction and we’re very hopeful that under new leadership we’ll see a very different approach.”
The settlement does not absolve Uber of any liability toward individuals who may have suffered any damages from the breach.