Uber to pay USD 148 mn over data breach it concealed

Ride hailing service Uber agreed to pay a USD 148 million penalty over a massive 2016 data breach which the company concealed for a year, the company and state officials announced Wednesday.

The agreement stems from a breach affecting some 57 million Uber riders and drivers disclosed by the California company, prompting litigation that was eventually joined by officials from the 50 US states and the District of Columbia.

"New Yorkers deserve to know that their personal information will be protected -- period," New York Attorney General Barbara Underwood said in a statement.

"This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation." Uber learned of the breach in November 2016 involving personal information on riders and drivers, nearly half in the United States.

According to officials, Uber paid data thieves $100,000 to destroy the swiped information -- and remained quiet about the breach for a year. The company said in a statement the agreement is part of an effort to live up to its standards of transparency and accountability after a series of embarrassing missteps.

"The commitments we're making in this agreement are in line with our focus on both physical and digital safety for our customers," Uber's chief legal officer Tony West said.

"We know that earning the trust of our customers and the regulators we work with globally is no easy feat ... We'll continue to invest in protections to keep our customers and their data safe and secure, and we're committed to maintaining a constructive and collaborative relationship with governments around the world."
"While Uber is now taking the appropriate steps to protect the data of its drivers in Illinois and across the country, the company's initial response was unacceptable," Madigan said. "Companies cannot hide when they break the law."