Uber Technologies has agreed to pay a US$146 million fine to American authorities and promised to tighten security to settle allegations it intentionally concealed a 2016 data breach in violation of state data breach notification laws.
The settlement, announced Wednesday, was reached with all 50 states and the District of Columbia, requires Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior. It will also have to hire an independent third party to assess its data security practices.
“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” New York Attorney General Barbara Underwood said in a statement.
The fine will be distributed among the states. New York, for example, will receive US$5.1 million. Illinois will get US$8.5 million, and from that the state plans to give US$100 to each affected Uber driver.
According to a New York State release, in November 2016, hackers based in the United States and Canada secretly informed security officials at Uber that they had downloaded the personal information of 57 million riders and drivers, 25 million of whom were in the United States and 7.7 million of whom were drivers. The information stolen included names, email addresses, and mobile phone numbers; drivers’ license information pertaining to approximately 600,000 drivers nationwide was also stolen. After providing proof of the massive data breach, the hackers demanded “six figures” to delete the data and not disclose the breach. Uber ultimately paid the hackers US$100,000 to conceal the breach.
In the spring of 2017 Uber’s board of directors told a law firm to investigate Uber’s security team in the wake of unrelated litigation involving the alleged theft of trade secrets related to self-driving cars. As part of this inquiry, the law firm learned of the breach and ransom payment. Only then did the board hire a forensic firm to investigate the breach. Uber ultimately provided notice of the breach in late November 2017, a year after the breach.
Uber didn’t see a necessity to notify about 815,000 Canadian users at the same time they could have been affected by the breach until Alberta’s privacy commissioner ordered it last February to tell users in that province. According to CBC News, Uber then decided to tell all Canadians whose data was stolen about the incident.
Uber argued it didn’t have to notify users or drivers in Alberta despite the province’s privacy law which requires breach notification to potential victims.
The incident took place when Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) didn’t have a mandatory breach notification obligation. PIPEDA has since been amended and mandatory breach notification if there is real risk of significant harm to a potential victim begins Nov. 1.