28th Sep 2018
Uber has paid $148 million (£113 million) to settle legal action concerning a cyber-attack that compromised the data of 57 million customers and drivers.
The breach, which happened in 2016, saw Uber pay the hackers $100,000 dollars (£77,000) to delete the stolen data in an attempt to hide the loss from regulators.
The data lost in the breach was personal information, including names, email addresses and mobile phone numbers, as well as information regarding 600,000 driving licence numbers.
The payment settles the action brought by the US government and 50 US states over the ride-hailing firm’s failure to disclose details of the cyber-attack and data loss,
Companies are required by law to disclose significant data breaches to regulators. In January 2017 Uber was also fined $20,000 (£15,000) for failing to disclose a less serious breach that took place in 2014.
In November 2017, Uber revealed some details, and Chief Executive Dara Khosrowshahi – who was not in office when the 2016 breach occurred – said at the time that: “none of this should have happened, and I will not make excuses for it”.
He also said: “While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
Uber's then Chief security Officer Joe Sullivan was fired from his position in the aftermath of the news being broken.
Uber, having paid the fine, has also pledged to change how it operates to prevent similar hacks and data losses happening in the future. The company is now also required to submit regular security incident reports to regulators.
Despite the settlement, legal action by drivers, customers and the cities of Los Angeles and Chicago is continuing.