DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Uber settles with all 50 states and the District of Columbia over massive 2016 data breach. The price tag? $148 million.

Posted on September 26, 2018 by Dissent

Uber Technologies Inc. will be paying  a steep fare for its 2016 data breach. Here’s the press release from the NYS Attorney General’s Office about the record penalty it will pay. All states and the District of Columbia are party to the settlement.


Settlement with 50 States & DC Also Requires Uber to Adopt Model Data Breach Notification and Data Security Practices, Corporate Integrity Program; Hire Independent Third Party to Assess Data Security

NEW YORK – Attorney General Barbara D. Underwood today announced an agreement with ride-sharing company Uber Technologies, Inc. (Uber) to settle allegations it intentionally concealed a 2016 data breach in violation of state data breach notification laws. The settlement, which was reached with all 50 states and the District of Columbia, requires Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior, and hire an independent third party to assess its data security practices. It also requires Uber to pay a record penalty of $148 million.

“New Yorkers deserve to know that their personal information will be protected – period,” said Attorney General Underwood. “This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation. We’ll continue to fight to protect New Yorkers from weak data security and criminal hackers.”

In November 2016, hackers based in the United States and Canada secretly informed security officials at Uber that they had downloaded the personal information of 57 million riders and drivers, 25 million of whom were in the United States and 7.7 million of whom were drivers. The information stolen included names, email addresses, and mobile phone numbers; drivers’ license information pertaining to approximately 600,000 drivers nationwide was also stolen. After providing proof of the massive data breach, the hackers demanded “six figures” to delete the data and not disclose the breach. Uber ultimately paid the hackers $100,000 to conceal the breach.

In the spring of 2017, Uber’s Board of Directors directed a law firm to investigate Uber’s security team in the wake of unrelated litigation involving the alleged theft of trade secrets related to self-driving cars. As part of this inquiry, the law firm learned of the breach and ransom payment. Upon learning of the breach, the board hired a forensic firm to investigate the breach. Uber ultimately provided notice of the breach in late November 2017, a year after the breach.

General Business Law § 899-aa requires companies that experience a breach involving certain personal information, including driver’s license numbers, to provide notice “in the most expedient time possible and without unreasonable delay.” By intentionally concealing the breach and failing to disclose it for a year, Uber violated GBL § 899-aa.

As part of the nationwide settlement, Uber has agreed to pay a record penalty of $148 million to the states. New York will receive approximately $5.1 million.

The settlement between New York and Uber requires the company to:

  • Comply with New York’s data breach and consumer protection laws regarding protecting New York residents’ personal information and notifying them in the event of a data breach concerning their personal information;
  • Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
  • Use strong password policies for its employees to gain access to the Uber network;
  • Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
  • Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
  • Develop and implement a corporate integrity program to ensure that Uber employees can report any ethics concerns they have about any other Uber employees to the company.

This settlement also addresses and resolves allegations that Uber’s conduct violated an earlier 2016 settlement with the Office of the New York Attorney General. In the earlier investigation, the office found that on May 12, 2014, a hacker accessed an Uber database that included names of roughly 50,000 Uber drivers and their driver’s license numbers. Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and the office until February 26, 2015, over five months later. The prior 2016 settlement required Uber to comply with GBL § 899-aa. It also required Uber to adopt protective technologies for the storage, access, and transfer of certain personal information, and credentials related to its access, including the adoption of multi-factor authentication, or similarly protective access control methodologies.

The New York Attorney General independently investigated the current breach, but later joined the multistate investigatory process, where it took a leadership position, to effectuate settlement.

The Attorney General’s office has also proposed legislation to close gaps in New York’s data security laws and comprehensively protect New Yorkers’ personal information from data breaches.

The case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim A. Berger. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.

Category: Breach IncidentsBusiness SectorHackOf NoteU.S.

Post navigation

← Ransomware Attacks Conway, Companies out Thousands
Ogdensburg hospital terminates employees following breaches of patient information; says police not involved →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Doctor Who Falsely Diagnosed Patients as Part of Insurance Fraud Scheme Sentenced to 10 Years’ Imprisonment
  • VanHelsing ransomware builder leaked on hacking forum
  • Hack of Opexus Was at Root of Massive Federal Data Breach
  • ‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential abuse survivors’ addresses
  • Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • Privilege Under Fire: Protecting Forensic Reports in the Wake of a Data Breach
  • Hacker who breached communications app used by Trump aide stole data from across US government
  • Massachusetts hacker to plead guilty to PowerSchool data breach (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.