TRENTON, NJ – The ride-sharing company Uber Technologies, Inc. has agreed to pay a total of $148 million to resolve a multi-jurisdiction investigation into a data breach that compromised the personal information of Uber riders and drivers. New Jersey’s share of the recovery is approximately $3.75 million, accoridng to Attorney General Gurbir S. Grewal.
The $148 million settlement represents the largest multi-state data breach settlement to date and will be divided among all 50 states and the District of Columbia. The settlement resolves allegations that Uber failed to comply with state laws relating to the collection, maintenance and safeguarding of consumers’ personal information, and with state data breach notification laws.
The data breach at issue involved the personal information of Uber riders and drivers, including names, e-mail addresses and mobile phone numbers associated with rider accounts throughout the U.S., and the names and driver’s license numbers of approximately 600,000 Uber drivers. The data breach occurred in November 2016, but was not disclosed by Uber until a year later, in November 2017.
New Jersey was part of the Executive Committee that conducted the multi-state investigation of Uber’s data breach and negotiated its resolution.
“This is a significant settlement for New Jersey residents and for Uber users everywhere – not only because the payout is historic, but because it requires that Uber adopt new policies and procedures that will more effectively safeguard the personal information of its riders and drivers in the future,” said Attorney General Grewal. “We’re also sending a signal to other companies that ignoring consumers’ privacy rights comes with a stiff financial penalty.”
Attorney General Grewal has placed renewed emphasis on data privacy investigations, announcing in May 2018 the creation of a new Data Privacy & Cybersecurity Section to be housed within the Division of Law’s Affirmative Civil Enforcement Practice Group.
The events leading up to the Uber settlement began in early November 2016, when anonymous hackers acquired Uber’s data by gaining access to one of the company’s private workspaces (hosted on a third-party software development platform known as GitHub) and obtained login credentials which enabled their access to an Amazon Web Services account utilized by the company. As a result, the names and driver’s license numbers of hundreds of thousands of Uber drivers – including more than 16,000 in New Jersey – and the information associated with millions of Uber user accounts globally were stolen.
After being contacted by the hackers, Uber paid them a $100,000 bounty to delete the data and keep the breach confidential. In August 2017, a new Chief Executive Officer took over at Uber and, upon learning of the 2016 breach, retained a data forensics company to conduct an internal investigation and analysis. Based on the outcome of that investigation, Uber began notifying law enforcement agencies – and subsequently, drivers – of the breach.
Among other non-monetary terms of the settlement, Uber is required to:
- Take precautions to protect any user data that Uber stores on third-party platforms outside of Uber.
- Use strong password policies for its employees to gain access to the Uber network.
- Develop and implement a robust data security policy for all the user personal information that Uber maintains, including assessing potential risks to the security of the data and assessing whether there are any additional security measures needed beyond what Uber is doing to protect the data. Uber is also required to designate a Security Executive to oversee its data security policy.
- Hire an independent, qualified third party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements.
- Develop and implement a corporate integrity programto ensure that Uber employees can raise any concerns they have about any misconduct, ethical concerns or violations of the company’s policies, cultural norms or code of conduct.