Uber to pay $ 148 million to address data breaches with the United States

SAN FRANCISCO (Reuters) – Uber Technologies Inc. [UBER.UL] will pay $ 148 million for failing to disclose a massive data breach in 2016, representing a costly resolution for one of the biggest embarrassments and legal entanglements of the haulage business.

The settlement with 50 US states and Washington, DC, puts an end to one of the many high-risk legal battles that Uber seeks to resolve before an initial public offering next year, while reprimanding Uber's antecedents. .

The amount is the highest among the general regulations of attorneys in confidentiality matters. In comparison, multi-state regulation with Target Corp (TGT.N) in 2017, on a default in which 41 million people were stolen, amounted to $ 18.5 million.

The settlement follows a 10-month investigation into a data breach that revealed personal data from 57 million Uber accounts, including 600,000 driver's license numbers. Uber's new chief executive officer, Dara Khosrowshahi, revealed the offense in November, more than a year after the company's previous piracy. Khosrowshahi said the incident should have been leaked to regulators by the time of its discovery in 2016.

Hiding, widely regarded by states as a violation of data breach and data security laws, has drawn the wrath of US and British, Australian and Philippine authorities. About half of the data breach victims lived in the United States.

Settlement terms include changes to Uber's business practices aimed at preventing future violations and reforming its corporate culture. Uber will report all data security incidents to states on a quarterly basis over the next two years and implement a comprehensive information security program overseen by an executive officer who advises senior management and the board of directors Uber.

"We know that gaining the trust of our customers and the regulators we work with globally is not an easy task," said Tony West, legal director of Uber. "We will continue to invest in protecting our customers and their data, and we are committed to building constructive, collaborative relationships with governments around the world."

In November 2016, Uber paid hackers, including a 20-year-old man and a hacker in Canada, $ 100,000 to destroy the stolen data, thanks to its "Bug Bounty" program designed to reward security researchers. in the software of a company. Uber then chose not to report the case to the victims or the authorities.

"Uber's decision to conceal this violation was a blatant breach of public trust," California Attorney General Xavier Becerra said. "In keeping with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law."

California, one of the leading states in the settlement effort, will retain $ 26 million, which will be split between the state's attorney general's office and the district attorney's office in San Francisco, a door has said. of the Becerra office.

Khosrowshahi fired two of Uber's top security officials when he announced the violation, and other members of the team have since left. The company recently hired a privacy officer and a security officer.

It is still being prosecuted by runners, drivers and cities in Chicago and Los Angeles for data breach.