- Office of Attorney General Maura Healey
Media Contact for AG Healey Leads Multistate Coalition in Reaching $148 Million Settlement With Uber Over Nationwide Data Breach
Boston — Attorney General Maura Healey today announced her office led a group of attorneys general from 50 states and the District of Columbia in reaching a $148 million settlement with Uber to address the ride-sharing company’s failure to promptly report a data breach affecting its drivers and passengers.
AG Healey filed the complaint today in Suffolk Superior Court along with a proposed consent judgement. Upon approval from the court, Massachusetts will receive a total of $7.1 million from the settlement. According to the complaint, instead of reporting the breach as soon as practicable, as required by Massachusetts Data Security Law, Uber tried to cover it up at the direction of its top executives by paying the hackers $100,000 in exchange for a non-disclosure agreement. Uber did not notify its riders or drivers or the AG’s office of the breach until nearly a year later.
“Uber failed to immediately report this data breach and tried to pay hush money to hackers,” said AG Healey. “This settlement should be a lesson to other businesses that consumers have a right to know when their personal information has been compromised.”
According to the AG’s complaint, Uber learned in November 2016 that hackers had accessed its internal databases and acquired the names, email addresses and mobile phone numbers of 57 million Uber riders and drivers, as well as the names and drivers’ license numbers of 600,000 U.S.-based drivers.
As part of today’s settlement, Uber has agreed to settle the claims of all 50 states and the District of Columbia by consent judgments filed separately in each state. The payment of $148 million dollars and injunctive relief is designed to prevent similar breaches in the future; provide assurance of Uber’s compliance with state laws governing its collection, maintenance, and safeguarding of personal information; and ensure the prompt disclosure to the states of any future data security incidents.
The settlement between Massachusetts and Uber, which is subject to the court’s approval, requires the company to:
- Comply with Massachusetts data breach and consumer protection law regarding the protection of Massachusetts residents’ personal information and notification in the event of a data breach concerning their personal information.
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber.
- Use strong password policies for its employees to gain access to the Uber network.
- Develop and implement an overall data security program covering all data that Uber collects about its users, including conducting assessments of potential risks to the security of the data and implementing any necessary additional security measures.
- Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and implement recommended security improvements.
- Develop and implement a corporate integrity program to allow Uber employees to bring any ethics concerns they have about any other Uber employees to the company.
Under the terms of today’s settlement, Uber will pay approximately $7.1 million, of which $6.5 million will be distributed to the Commonwealth’s General fund and $600,000 will be used to assist consumers and businesses in Massachusetts, along with funding for programs to protect victims of data breach and identity theft.
More information about the Massachusetts Data Security Law and an organization’s reporting obligations under that law is available on the AG’s Guidance for Businesses on Security Breaches website.
This matter was handled by Director of Data Privacy & Security and Assistant Attorney General Sara Cable, and Assistant Attorneys General Brendan Jarboe and Jared Rinehimer, all of the AG’s Consumer Protection Division, with the assistance of Consumer Protection Division Chief Max Weinstein, and Investigators Ciara Tran and Anthony Crespi of AG Healey’s Civil Investigations Division.