By Terri Hill | September 26, 2018
California-based ride sharing service Uber has agreed to pay $148 million as a result of a November 2017 data breach affecting the company’s drivers.
Pennsylvania will receive $5.7 million from the settlement, according to a statement from Attorney General Josh Shapiro. Approximately $1.35 million of that amount will be given to drivers who had their personal information compromised. Each driver will receive $100 and a settlement administrator will be appointed to provide notice and payment to eligible drivers.
The remainder of the settlement, $4.35 million will go to the Attorney General’s Public Protection Section and Bureau of Consumer Protection, to be used to conduct future investigations and outreach to protect Pennsylvanians from violations of consumer protection law.
In March, Mr. Shapiro’s office filed a lawsuit against Uber for violating Pennsylvania’s data breach notification law. According to the filing, in November 2016, Uber learned that hackers had gained access to personal information the company maintains about its drivers, including drivers’ license information for about 600,000 drivers nationwide. Instead of reporting the breach to law enforcement and impacted individuals, Uber tracked down the hackers and obtained assurances that the hackers deleted the information and made payments to ensure their silence.
The lawsuit alleged some of the compromised information included driver’s license numbers that are protected under state law. As such, Uber was required to notify impacted individuals under the Pennsylvania Breach of Personal Information Notification Act. However, Uber failed to report the breach until November 2017.
In addition to paying the money, Uber has agreed to take significant steps to change its corporate practices to better protect and secure its employees’ information and other data.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this data breach,” Attorney General Josh Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and keep quiet. That is outrageous corporate misconduct, and today’s settlement holds them accountable and requires real changes in their corporate behavior.”
All 50 state Attorneys General and the District of Columbia are participating in the settlement.
Terri Hill can be contacted at firstname.lastname@example.org