California Attorney General Becerra, San Francisco District Attorney Gascón Announce $148 Million Settlement with Uber over 2016 Data Breach and Cover-Up

SAN FRANCISCO – California Attorney General Xavier Becerra and San Francisco District Attorney George Gascón today announced a $148 million nationwide settlement resolving allegations that Uber Technologies, Inc. (Uber) violated state data breach reporting and reasonable data security laws in connection with its 2016 breach of driver and customer data. Uber is accused of exposing 57 million users’ data and paying hackers to cover up the breach rather than reporting it to proper authorities. 

“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” said Attorney General Becerra. “The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data.”

“We wholeheartedly support innovative business models, but new ways of engaging in business cannot come at the expense of public safety or consumer privacy,” said District Attorney George Gascón. “This settlement today demonstrates what happens when all of us in law enforcement work together. My office will continue to collaborate closely with the Attorney General to protect consumers both in San Francisco, and the rest of California.”

The settlement follows California’s independent investigation of Uber’s conduct alleging that the company failed to inform over 174,000 California drivers of a data breach exposing their personal information, including names and driver’s license numbers. Rather than notifying the drivers as required by law, Uber covered up the breach and then paid hackers $100,000 in exchange for their silence. The company failed to notify law enforcement and the public of the breach until November 2017, when it was uncovered by an internal review by Uber’s Board of Directors.

The nationwide settlement, which California helped to lead, calls for a $148 million penalty payment by Uber benefiting all 50 states and the District of Columbia. California will divide its $26 million share of the settlement between the California Attorney General’s Office and the San Francisco District Attorney’s Office. The settlement also includes additional terms to prevent future breaches and to reform Uber’s corporate culture. This settlement marks the first time the Attorney General has required a company to incorporate privacy-by-design into its products. Privacy-by-design describes a practice of integrating privacy considerations and protections into a product’s development and design. 

Specifically, in addition to the civil penalties, the settlement also requires that Uber:

• Implement and maintain robust data security practices.
• Comply with state laws in connection with its collection, maintenance, and safeguarding of personal information, as well as reporting of data security incidents.
• Accurately and honestly represent data security and privacy practices to better ensure transparency in how the company’s driver and customer information is safeguarded. 
• Develop, implement, and maintain a comprehensive information security program with an executive officer who advises key executive staff and Uber’s Board of Directors.
• Report any data security incidents to states on a quarterly basis for two years.
• Maintain a Corporate Integrity Program that includes a hotline to report misconduct, quarterly reports to the board, implementation of privacy principles, and an annual code of conduct training.

A copy of the final judgement can be found here.