AG Hawley Reaches $148 Million Settlement with Uber over Data Breach

Sep 26, 2018, 11:15 AM
Sep 26, 2018, 11:13 AM

Jefferson City, Mo. – Missouri Attorney General Josh Hawley today announced that he, along with 49 other states and the District of Columbia, has reached an agreement with California-based ride-sharing company Uber Technologies, Inc. (Uber) to address the company’s one-year delay in reporting a data breach to its affected drivers.

Uber learned in November 2016 that hackers had gained access to personal information Uber maintained about its drivers, including the drivers’ license information of approximately 600,000 drivers nationwide. Even though some of that information triggered Missouri law requiring Uber to notify affected Missouri residents, Uber failed to report the breach in a timely manner. Instead, Uber waited until November 2017 to report the breach.

Upon learning of the breach in November, Attorney General Hawley took immediate action, sending a letter to Uber CEO Dara Khosrowshahi demanding that Uber notify all affected consumers, protect those consumers’ personal information, and prevent any future breaches.

“This settlement sends a strong message that data breaches cannot be swept under the rug,” Hawley said. “When Missourians’ personal information has been compromised, they deserve to be informed about the breach in a timely manner.”

As part of the nationwide settlement, Uber has agreed to pay $148 million to the states. Missouri will receive over $2.2 million. In addition, Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.

Missouri will provide each Uber driver impacted in Missouri with a $100 payment. Eligible drivers are those whose driver’s license numbers were accessed during the 2016 breach. Some of those drivers may not still be driving for Uber today. Missouri will appoint a settlement administrator who will provide notice and send a payment to each eligible driver. Payments will not be distributed until after the effective date of the settlement and the appointment of the settlement administrator.

The settlement between the state of Missouri and Uber requires the company to:

  • Comply with Missouri’s data breach and consumer protection law by protecting Missouri residents’ personal information and notifying them in the event of a data breach concerning their personal information;
  • Take precautions to protect any user data Uber stores on third-party platforms;
  • Use strong password policies for its employees to gain access to the Uber network;
  • Develop and implement a strong data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing additional security measures in response to those risks; and
  • Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and to implement the security improvement recommendations of that outside expert.

Information about what to do if you are victim of a data breach can be found here.