Uber’s Data Breach Costs $148M In Settlement, N.J. To Get $3.75M

TRENTON – A data breach just cost Uber $148 million, of which New Jersey will get $3.75 million.

A multi-jurisdiction investigation led to the settlement after it was discovered personal information of Uber riders was compromised, the state attorney general’s office announced today. Uber settled to resolve allegations it failed to comply with state laws relating to collecting, maintaining and safeguarding consumers’ personal information. The company also allegedly failed to comply with state data breach laws.

The breach exposed the names, email addresses and mobile phone numbers of Uber riders, and the names and driver’s license numbers of about 600,000 Uber drivers. Hackers were paid $100,000 by Uber to delete that information. That breach occurred in November 2016, although Uber didn’t disclose that until a year later when a new chief executive officer took over at the company, discovered it, and after an internal investigation alerted authorities.

The $148 million will be divided among the 50 states and Washington, D.C.

“This is a significant settlement for New Jersey residents and for Uber users everywhere – not only because the payout is historic, but because it requires that Uber adopt new policies and procedures that will more effectively safeguard the personal information of its riders and drivers in the future,” said New Jersey State Attorney General Gurbir S. Grewal. “We’re also sending a signal to other companies that ignoring consumers’ privacy rights comes with a stiff financial penalty.”

In May 2018, Grewal’s announced the creation of the Data Privacy & Cybersecurity Section, part of the Division of Law’s Affirmative Civil Enforcement Practice Group.

As part of the settlement, Uber must also protect user data on third-party platforms outside itself, use strong password policies for employees to gain access to its network, and “develop and implement a robust data security policy for all the user personal information that Uber maintains, including assessing potential risks to the security of the data and assessing whether there are any additional security measures needed beyond what Uber is doing to protect the data. Uber is also required to designate a Security Executive to oversee its data security policy,” according to the state attorney general’s office.

Uber must also hire an independent third party to assess its data security efforts, and implement a corporate integrity program that allows its employees to report misconduct or ethical concerns.

Deputy Attorney General Elliott M. Siebers and former Deputy Attorney General Russell M. Smith, Jr. within the Affirmative Civil Enforcement Practice Group in the Division of Law handled the Uber matter on behalf of the State.