[BreachExchange] Uber reaches $148 million settlement over its 2016 data breach, which affected 57 million globally

[Destry Winant]

https://www.washingtonpost.com/technology/2018/09/26/uber-reaches-million-settlement-over-its-data-breach-which-affected-million-globally/?utm_term=.8ce29dca6ec3

Uber has agreed to pay $148 million to settle allegations from 50
states and the District that the ride-hailing company violated data
breach laws when it waited a year to disclose a hack affecting tens of
millions of its riders and drivers.

The settlement is among the biggest in Uber’s history and marks the
first time the company has settled a matter with the top law
enforcement officials from all 50 states and the District. It is the
largest multistate penalty ever levied by state authorities for a data
breach.

The announcement came just as lawmakers on Wednesday were
debatingwhether to write a national consumer privacy law, with
witnesses testifying from companies such as Apple, Google and Twitter.

Uber not only waited a year to disclose the breach — which exposed
names, email addresses and phone numbers of 57 million people around
the world — but also paid $100,000 to the hackers to keep the incident
quiet.

“Uber’s decision to cover up this breach was a blatant violation of
the public’s trust,” California Attorney General Xavier Becerra said
in a statement. “Companies in California and throughout the nation are
entrusted with customers’ valuable private information. This
settlement broadcasts to all of them that we will hold them
accountable to protect that data.”

The breach was disclosed in November after an investigation ordered by
Uber chief executive Dara Khosrowshahi. On Wednesday, the company’s
chief legal officer, Tony West, said in a blog post that the matter
came to his attention on his first day on the job last year.

“Rather than settling into my new workplace and walking the floor to
meet my new colleagues, I spent the day calling various state and
federal regulators,” West wrote.

As part of the settlement, Uber will be required to make changes to
its practices and to its corporate culture. Uber agreed to undergo
regular third-party audits of its security practices and to set up a
program allowing employees to file concerns about ethics violations
they may have witnessed while on the job. It also agreed to take
precautions to safeguard any Uber data that may be held by third
parties, according to New York’s attorney general’s office.

“This record settlement should send a clear message: we have zero
tolerance for those who skirt the law and leave consumer and employee
information vulnerable to exploitation,” said New York Attorney
General Barbara Underwood.

This summer, Uber hired a former lawyer for Intel as its chief privacy
officer and a former general counsel for the National Security Agency
as its chief trust and security officer.