Want CNET to notify you of price drops and the latest stories?

Uber to pay $148 million for failing to report 2016 hack

The ride-hailing company reaches a settlement with all 50 states and DC.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Carrie Mihalcik Senior Editor / News
Carrie is a Senior Editor at CNET focused on breaking and trending news. She's been reporting and editing for more than a decade, including at the National Journal and CurrentTV.
Expertise Breaking News, Technology Credentials
  • Carrie has lived on both coasts and can definitively say that Chesapeake Bay blue crabs are the best.
Dara Kerr
Carrie Mihalcik
4 min read
Mobile Device Applications
Jaap Arriens/Getty Images

Uber has reached a settlement with all 50 US states and the District of Columbia over a 2016 data breach the ride-hailing service failed to disclose. 

The company will pay a $148 million fine that will be distributed in varying amounts across all states, attorneys general said Wednesday. Uber will also be required to adopt several new data security practices.

"Uber's decision to cover up this breach was a blatant violation of the public's trust," Attorney General Becerra said in a statement. "The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law."

In October 2016, hackers were able to breach Uber's system and steal data on 57 million drivers and riders. The pilfered data included personal information such as names, email addresses and driver's license numbers, but not Social Security numbers and credit card information. Uber then paid $100,000 to the data thieves to delete the information. 

The issue for the state attorneys general was that Uber waited for more than a year to disclose the hack. The law requires companies to notify customers of data breaches.

"Uber failed to notify law enforcement and the public of the breach," Becerra said at a press conference Wednesday. "Protecting the privacy of their customers isn't only the right thing to do, it's the law."        

Initially, Uber didn't reveal any details about the hacker or how it paid him the money. But it was later reported that a 20-year-old Florida man was responsible for the breach. The payment was reportedly made through a program designed to reward bug hunters who report flaws in a company's software. 

The breach happened under the watch of Uber's former CEO, Travis Kalanick. The company's new CEO, Dara Khosrowshahi, said he didn't learn of the breach himself until shortly before it was disclosed to the public.

"None of this should have happened, and I will not make excuses for it," Khosrowshahi said at the time. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."

Now what

Of the 57 million people affected by the data breach, 600,000 were drivers for Uber. The company said drivers' names, email addresses, cell phone numbers and driver's license numbers were likely stolen. When it came to riders, however, just their names, email and phone numbers were possibly taken.  

Uber will be paying portions of the $148 million to all 50 states partially based on how many drivers were affected. In California, information on 174,000 drivers was breached, so that state will receive $26 million, according to Becerra. Each state will decide on its own how to use the money.

"I'm pleased that we've reached an agreement with the attorneys general," Uber Chief Legal Officer Tony West said in a statement. "The commitments we're making in this agreement are in line with our focus on both physical and digital safety for our customers."

Over the last year, West prioritized meetings with attorneys general across the US, according to a source familiar with the negotiations. He also hired a chief privacy officer, chief compliance officer and chief security officer to focus on safety and security improvements for the company.

In addition to the fine, the settlement also requires Uber to adopt several data security and privacy practices to "prevent future breaches and to reform Uber's corporate culture," according to Becerra. These include notifying users of breaches concerning their personal information, protecting data stored on third-party platforms and implementing strong password policies for access to the company's network. 

The settlement also calls for Uber to hire an "outside qualified party" to assess its data security efforts on a regular basis, and to create a "corporate integrity program" that includes a hotline for Uber employees to report any ethics concerns. 

"We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose," West said. "We'll continue to invest in protections to keep our customers and their data safe and secure, and we're committed to maintaining a constructive and collaborative relationship with governments around the world."

First published Sept. 26, 9:51 a.m. PT.
Updates, 10:47 a.m.: Adds comment from California Attorney General Xavier Becerra and Uber Chief Legal Officer Tony West; 12:48 p.m.: Includes additional background information and additional comments from Becerra and West.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

CNET Magazine: Check out a sampling of the stories you'll find in CNET's newsstand edition.