In the wake of a massive data breach that impacted millions of users around the world, Uber Technologies, Inc. has been ordered to pay reparations totaling $148 million.
The ruling comes more than 2 years after the ride-hail giant’s software was hacked, allowing the digital attackers to gain access to information from 50 million app users and 7 million Uber drivers.
The settlement was negotiated by attorneys general from each of the 50 U.S. states, which collectively opened an investigation into the Silicon Valley company shortly after the breach was publicly disclosed in 2017. It represents the largest privacy case settlement won by the nation’s AGs, and will be divided among every state in the union, plus Washington, D.C.
All told, hackers helped themselves to a smorgasbord of personal information in the attack, including the names, email addresses, phone numbers, and driver’s license numbers of more than 600,000 stateside Uber users.
Uber reps were quick to point out that no Social Security numbers, credit card information, or trip location data was stolen in the incident.
Still, the staggering settlement wasn’t based solely on Uber’s vulnerability to the data breach: it was the company’s reaction to the issue that led to the attorneys general investigation.
While the hack took place in October 2016, it wasn’t publicly revealed until November of the following year. And the announcement only happened after former CEO Travis Kalanick was pressured to resign and new company head Dara Khosrowshahi took the reins.
Instead, the company tried to settle the matter quietly immediately after it happened by paying a known hacker $100,000 to reenter the system and delete the data—plus all traces that it had ever been stolen.
The tactic has since been revealed as part of a company-sponsored plan called the “bug bounty program,” which financially rewards hackers for locating weak spots in Uber’s technology.
But tapping into the nefarious network for help only led the company into even hotter water. In response to that discovery, the Federal Trade Commission launched its own investigation into Uber, issuing a slate of rules earlier this year that the Silicon Valley giant must adhere to in the future, including the mandatory submission of privacy audits.
Failure to do so could lead to civil action and even more financial penalties for Uber. Hopefully, the company is living up to its promise of cracking down on privacy issues and making the routes to its cache of personal data more difficult to follow.