Uber Technologies Inc. will pay $148 million to settle claims related to a large-scale data breach that exposed the personal information of more than 25 million of its U.S. users.
The settlement, spanning all 50 states and the District of Columbia, is the biggest data-breach payout in history, and marks the most sweeping rebuke by regulators against the San Francisco company, which earned a reputation for skirting rules in its push to dominate the ride-hailing market.
The states’ agreement stemmed from data compromised in 2016 by hackers, who obtained 607,000 U.S. driver’s license numbers as well as tens of millions of consumer email addresses and phone numbers, a leak that Uber failed to disclose for more than a year after discovering the attack.
“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” New York Atty. Gen. Barbara Underwood said in a statement Wednesday.
The nine-figure settlement will be distributed to the states, rather than directly to those affected in the breach. California will receive a $26-million share of the settlement, which it plans to divide between the state attorney general’s office and the San Francisco district attorney’s office.
The penalty comes at a pivotal time for Uber Chief Executive Dara Khosrowshahi, who is laying the groundwork for a 2019 initial public offering while working to distance the brand from the controversial growth-at-all-costs approach established under his predecessor, co-founder Travis Kalanick.
Bloomberg News reported in November that Kalanick learned of the 2016 breach just a month after hackers stole the personal data on 57 million of Uber’s customers around the globe, including 25.6 million riders and drivers in the United States. But the company concealed the breach from authorities and instead paid the hackers $100,000 to delete the stolen data and keep the incident quiet.
After the episode came to light, Uber ousted its chief security officer and disclosed the breach to the Federal Trade Commission, which had already reprimanded the company for a similar 2014 data breach.
“The commitments we’re making in this agreement are in line with our focus on both physical and digital safety for our customers, as exemplified by our recent announcement of a host of safety and security improvements and our recent hiring of experts like Ruby Zefo as chief privacy officer and Matt Olsen as chief trust and security officer,” Uber Chief Legal Officer Tony West said in a statement Wednesday.
As part of the settlement agreement, Uber promised to improve its security policies and hire an outside party to monitor its data-privacy efforts and regularly report on necessary improvements.