Uber to pay $148 million to states for 2016 data breach

The incident revealed sensitive information on 57 million users, and the company kept the hack secret for more than a year.
Uber settlement

Ridehailing company Uber will pay $148 million across all 50 states and Washington, D.C., as part of a settlement stemming from a data breach that revealed sensitive information on 57 million of the company’s users.

The breach took place in October 2016 and revealed names, email addresses, phone numbers and U.S. driver’s license numbers. The company paid the hackers $100,000 to stay quiet and delete the data.

Several attorneys general released statements after the settlement was announced, with each state getting a varying amount.

“Uber completely disregarded Illinois’ breach notification law when it waited more than a year to alert people to a serious data breach,” said Illinois Attorney General Lisa Madigan. “While Uber is now taking the appropriate steps to protect the data of its drivers in Illinois and across the country, the company’s initial response was unacceptable. Companies cannot hide when they break the law.”


“Uber violated Pennsylvania law by failing to put our residents on timely notice of this data breach,”  Pennsylvania Attorney General Josh Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and keep quiet. That is outrageous corporate misconduct, and today’s settlement holds them accountable and requires real changes in their corporate behavior.”

The data breach caused a firestorm around the company when it was announced last November. The company ultimately fired its then-chief security officer, Joe Sullivan, and his deputy, Craig Clark, for their roles in keeping the hack from the public for more than a year.

“I’m pleased that we’ve reached an agreement with the attorneys general of all 50 states and the District of Columbia to resolve their legal inquiries on this matter,” Uber Chief Legal Officer wrote in a blog post. “We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose. We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts