Uber

Uber has agreed to pay a record $148 million penalty to settle allegations that it intentionally concealed a major data breach in 2016 that exposed the personal information of 57 million people, New York Attorney General Barbara Underwood's office said Wednesday.

The settlement comes in the wake of a multistate investigation that found the ride-hailing company paid hackers $100,000 to conceal the breach, which exposed the names, email addresses, and cellphone numbers of those users.

Uber did not provide public notice of the breach until a year after it happened in late 2016, according to a statement from Underwood's office.

The company's board of directors were in the dark about the ransom payment until it was discovered by a law firm last spring, the New York Attorney General's Office said. The firm was hired to investigate the company's security team in a separate matter but stumbled on the breach during its inquiry. The board then hired a forensic firm to probe what happened with the breach.

Uber said in a November 2017 statement from CEO Dara Khosrowshahi that the breach was carried out by two hackers outside the company. They accessed user data on a third-party, cloud-based service the company uses to store some information. The hackers were not able to download users' Social Security numbers, bank account information, credit card numbers, dates of birth, and trip history, according to the company.

They were able to collect the names, email addresses, and cellphone numbers of the 57 million people that use Uber. They were also able to obtain the driver's license numbers of about 600,000 drivers, according to Uber.

Uber eventually provided notice of the breach after an investigation, but that wasn't until a year after the breach and ransom payment happened. The incident caused the company to fire the two individuals that apparently led the company's response to the hack. Uber Chief Legal Officer Tony West said in a statement on Wednesday that they are working to improve safety and security after the breach and have hired new experts to implement those improvements. He said the company learned from its mistake in 2016. “Our current management team's decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability,” West said. “An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward.”

The company's notice in 2017 launched a nationwide investigation into its conduct in the wake of the breach. New York is one of several states that independently investigated the breach before teaming up with other states on the probe.

The settlement is between Uber, all 50 states, and the District of Columbia. Under the agreement New York will receive $5.1 million. The agreement also requires Uber to take certain steps to improve security for its users in New York, where investigators negotiated additional terms to the settlement.

Uber has also promised to develop a new policy on data security that will assess the potential risk of another breach and implement improvements beyond what's currently in place. The company is required to hire an outside contractor to examine its security efforts regularly and recommend improvements.

Uber will also have to take additional precautions to protect any user data it stores on third-party platforms, such as the one hackers accessed in 2016. If there is another breach, employees must also have an avenue to report any ethics concerns they have about other employees. Those employees will also now be subject to stricter password guidelines to gain access to the company's internal network.

Wednesday's settlement resolves litigation around what was actually the second breach in recent years that Uber was faulted for failing to report in a timely manner, Underwood's office said. The company was also hacked in 2014 but did not provide notice until five months later in 2015. That breach exposed the names and driver's license numbers of about 50,000 Uber drivers.

Underwood said in a statement that the resolution should be seen as a warning to other companies who attempt to hide a data breach affecting users' personal information.

“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” Underwood said. “We'll continue to fight to protect New Yorkers from weak data security and criminal hackers.”

READ MORE: