CHICAGO -- Uber will pay $148 million and tighten data security after the ride-hailing company failed for a year to notify drivers that hackers had stolen their personal information, according to a settlement announced Wednesday.
Uber Technologies Inc. reached the agreement with all 50 states and the District of Columbia after a data breach in 2016. Instead of reporting it, Uber hid evidence of the theft and paid ransom to ensure the data wouldn't be misused.
"This is one of the most egregious cases we've ever seen in terms of notification; a yearlong delay is just inexcusable," Illinois Attorney General Lisa Madigan told The Associated Press. "And we're not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches."
The settlement payout will be divided among the states based on the number of drivers each has. Arkansas will receive $1,847,812.50 of the settlement, state Attorney General Leslie Rutledge said Wednesday.
"Uber needs to ensure that it is taking every precaution to protect driver and customer data on its website and mobile app," Rutledge said. "Data breaches can open consumers up to identity theft and have lasting negative impacts on an individual's credit."
Uber, whose GPS-tracked drivers pick up riders who summon them from cellphone apps, learned in November 2016 that hackers had accessed personal data, including driver's license information, for roughly 600,000 Uber drivers in the U.S, including 934 Arkansas drivers. The company acknowledged the breach in November 2017, saying it paid $100,000 in ransom for the stolen data to be destroyed.
The hack also took the names, email addresses and cellphone numbers of 57 million riders around the world. After significant management changes in the past year, Tony West, Uber's chief legal officer, said the decision by current managers was "the right thing to do."
"It embodies the principles by which we are running our business today: transparency, integrity, and accountability," West said. "An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward."
"Uber's decision to cover up this breach was a blatant violation of the public's trust," California Attorney General Xavier Becerra said in a statement. "Companies in California and throughout the nation are entrusted with customers' valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect that data."
"This record settlement should send a clear message: We have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation," said New York Attorney General Barbara Underwood.
The settlement requires Uber to comply with state consumer protection laws safeguarding personal information and to immediately notify authorities in case of a breach; to establish methods to protect user data stored on third-party platforms and create strong password-protection policies.
Information for this article was contributed by Teresa Crawford and John O'Connor of The Associated Press and by Brian Fung of The Washington Post.
Business on 09/27/2018