Uber Reaches $148 Million Breach Settlement With StatesPenalty Tied to Delayed Breach Notification and Inadequate Security Practices
Ride-hailing platform Uber Technologies has reached a $148 million settlement agreement with the attorneys general of all 50 states and the District of Columbia. The settlement stems from the company's failure to report a massive 2016 data breach in a timely manner, as well as the company's inadequate information security practices (see Pennsylvania Sues Uber Over Late Breach Notification).
Under the terms of the settlement agreement, the San Francisco-based company must put in place "privacy by design" practices, report all data security incidents to states on a quarterly basis for the next two years, and create a corporate integrity program and maintain a hotline for reporting any data security or privacy misconduct.
"Uber's decision to cover up this breach was a blatant violation of the public's trust," California Attorney General Xavier Becerra says in a statement. "The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers' valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data."
San Francisco District Attorney George Gascón adds: "We wholeheartedly support innovative business models, but new ways of engaging in business cannot come at the expense of public safety or consumer privacy.".
25 Million US Breach Victims
Dara Khosrowshahi, who became CEO of Uber on Sept. 5, 2017, reportedly first learned of the breach about two weeks later, after it was discovered by an internal review launched by the company's board of directors. In November 2017, he issued Uber's first notification to the public, as well as to law enforcement agencies and regulators (see Did Uber Break Breach Notification Minimum-Speed Limits?).
Khosrowshahi also fired CSO Joe Sullivan and his deputy, allegedly over their handling of the breach (see Fast and Furious Data Breach Scandal Overtakes Uber).
The breach compromised personal information for 57 million Uber users around the world. Nearly all of the exposed data sets included names, email addresses and phone numbers. For some users, Uber IDs and location data were leaked, along with tokens or hashed and salted passwords.
Uber says the breach exposed personal information for 25 million users in the U.S., of which 4.1 million were drivers. For the driver accounts, 600,000 contained license numbers.
Subsequently, it emerged that Uber had paid $100,000 to a 20-year-old in Florida for what it portrayed as a "bug bounty" tied to a breach of code that Uber's engineers appeared to have uploaded to the GitHub code-sharing service. Many information security experts said that the cover-up and payment - in exchange for the developer agreeing to delete the data - looked less like a bug bounty and more like hush money (see Report: Uber Paid Florida 20-Year-Old $100,000 Over Hack).
Indeed, California authorities this week minced no words, saying that "Uber covered up the breach and then paid hackers $100,000 in exchange for their silence."
Uber Pledges Transparency
Uber has promised to do better.
"We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose," says Tony West, Uber's chief legal officer, in a blog post.
West joined Uber just after the company notified the public about the 2016 breach, and in his blog post, he pledged "transparency, integrity and accountability" from Uber as well as a corporate culture that would learn from and take responsibility for past mistakes.
"The commitments we're making in this agreement are in line with our focus on both physical and digital safety for our customers, as exemplified by our recent announcement of a host of safety and security improvements and our recent hiring of experts like Ruby Zefo as chief privacy officer and Matt Olsen as chief trust and security officer," West said.
Data Breach Expert: 'Reasonable' Fine
The $148 million settlement, to be split between states, apparently is the largest privacy settlement ever reached between state regulators and a breached business.
Uber's penalty easily dwarfs the $18.5 million settlement agreement between states and Target over its 2013 breach, which resulted in attackers compromising 41 million customers' payment card details as well as contact details for more than 60 million customers (see Target Reaches $18.5 Million Breach Settlement with States).
The penalty against Uber represents a significant percentage of the company's annual revenue for the year in which the incident occurred. "This actually feels pretty reasonable," says Australian security expert Troy Hunt, who runs the free Have I Been Pwned? breach-alert service, via Twitter. "Uber had revenue of $6.5 billion in 2016, so call it about 2.3 percent."
Still, Uber does not appear to have suffered any significant, long-term consequences as a result of the data breach and cover-up (see Do Data Breaches Permanently Affect Business Reputations?).
Other Lawsuits, Probes Continue
Regulators in the United Kingdom, Australia and the Philippines have also been probing Uber's breach (see Driving Privacy Regulators Crazy: UK Probes Uber Breach).
In the U.K., for example, Uber could be fined up to £500,000 ($660,000) by the country's Information Commissioner's Office. While the EU's General Data Protection Regulation allows for much greater fines, it doesn't apply to data breaches that occurred prior to May 25, when GDPR went into full effect.